Title: Snuffleupagus 0.13.0 - Elephas
Date: 2026-01-07 12:00

[![snuffleupagus logo]({static}/images/sp.png)](https://snuffleupagus.readthedocs.org)

I just published a new release of
[Snuffleupagus](https://github.com/jvoisin/snuffleupagus/releases/tag/v0.13.0),
the hardening module for php7+ and php8+,
version `0.13.0`, codename "Elephas",
named after the [genus of elephants](https://en.wikipedia.org/wiki/Elephas).
There aren't any new flashing features, only bug fixes, PHP85 support,
minor improvements, and a security fix for
[CVE-2026-22034](https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc)!

Thanks to [Thomas Chauchefoin](https://github.com/thomas-chauchefoin-tob) for
finding the vulnerability and producing a [comprehensive
write-up](https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc).
While being assigned CVE is never fun, it's also a sign that people are
interested in your software enough to spend the time to looks for bugs.
Moreover, I guess it was a learning opportunity to be on the other side for
once. As usual, the CVSS score (9.2/10) is bullshit by design as there is no
way to properly account for the required conditions:

1. Snuffleupagus' [`upload_validation`](https://snuffleupagus.readthedocs.io/config.html#upload-validation) to be enabled, which isn't the default configuration.
2. To be manually configured to use [`vld`](https://github.com/derickr/vld).
3. To have the `vld` module unavailable.

Nevertheless, as PHP isn't erroring out on missing modules (!), whatever
update/change breaking `vld` might silently result in a catastrophic remote
code execution, so please do update. The fix is
[dead-simple](https://github.com/jvoisin/snuffleupagus/commit/9278dc77bab2a219e770a1b31dd6797bc9070e37)
and can easily be backported if that's your kink.

### Changelog

* Compatibility with PHP8.5
* Add the possibility to log to a file
* Improve .drop() logging reliability when `set_error_handler` is used
* Improve simulation mode for `unserialize()` when no HMAC key is provided
* Fix a possible arbitrary code execution on misconfigured `upload_validation` deployments ([CVE-2026-22034](https://github.com/jvoisin/snuffleupagus/security/advisories/GHSA-c4ch-xw5p-2mvc))

As usual, if you want to help, we have some
[low hanging fruits]( https://github.com/jvoisin/snuffleupagus/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) ♥

See you in your PHP stack!