What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

Dev Roundup: 27 March 2026

A busy week across the stack - a major Magento vulnerability under active exploitation, a significant Next.js release, Laravel's AI SDK getting a detailed production walkthrough, and a fast-moving CVE in a popular AI workflow tool. Here is what happened.

PolyShell: every production Magento 2 store is vulnerable

The most urgent story of the week is PolyShell, an unauthenticated remote code execution vulnerability in Magento 2 and Adobe Commerce disclosed by Sansec on March 17. The flaw sits in the REST API guest cart endpoints and requires no credentials to exploit: an attacker can upload executable PHP files disguised as images to any store's file system using nothing more than a guest cart ID.

There is no production patch. Adobe has fixed the issue only in the 2.4.9 pre-release alpha; every stable release remains vulnerable. Automated mass scanning began on March 19, and by March 25 Sansec had observed exploitation attempts against more than half of all exposed stores. If you are running Magento 2, the immediate action is to verify that your web server blocks all access to pub/media/custom_options/ and to scan for any existing uploaded files in that directory.

Next.js 16.2: substantially faster, with a stable Adapter API

Vercel shipped Next.js 16.2 on March 18, and the performance numbers are the headline. Development server startup is around 87% faster compared to 16.1 on the default application. Server Component rendering is 25-60% faster in real-world apps, the result of a React contribution that replaces a slow JSON parse reviver callback with a two-step pure JavaScript approach - eliminating V8's C++ boundary-crossing overhead on every key-value pair.

The other significant addition is a stable, versioned Adapter API built in collaboration with OpenNext, Netlify, Cloudflare, AWS Amplify, and Google Cloud. The API gives platform providers a stable target to build deployment adapters against, rather than hooking into internal Next.js internals that may change between versions. A shared test suite accompanies it. For teams choosing where to deploy Next.js applications, this standardisation reduces lock-in and makes switching platforms considerably more tractable. An Ecosystem Working Group has been formed to maintain the spec going forward.

Other additions in 16.2 include a redesigned default error page, dev terminal logging for Server Function execution, a hydration diff indicator in the error overlay, and --inspect support for attaching the Node.js debugger to a production server. Turbopack received more than 200 fixes and improvements, and an experimental next-browser package for AI agent interactions also shipped.

Laravel AI SDK: scoping database tools for agents

The Laravel team published a practical walkthrough on March 27 covering how to expose scoped Eloquent queries as AI SDK tools in a way that resists prompt injection. The key pattern is straightforward but easy to miss: user context is bound in the tool constructor, not derived from the agent's input or the user's message at query time. An agent cannot be tricked into fetching another user's data because the user ID is set before the tool ever runs.

The post also covers combining multiple scoped tools into an agent with HasTools, using a read-only database connection as a defence-in-depth measure, and adding vector search with Laravel SimilaritySearch for semantic knowledge retrieval. It is a useful reference for anyone building agent features in Laravel who wants to avoid the obvious security pitfalls around data access.

Langflow CVE-2026-33017: exploited in under 24 hours

A critical code injection vulnerability (CVSS 9.3) in Langflow, the open-source visual framework for building AI agent workflows, was added to CISA's Known Exploited Vulnerabilities catalogue this week. The speed of exploitation stands out: automated scanning began around 20 hours after the advisory was published, with no public proof-of-concept code available at the time. Researchers at Endor Labs believe attackers built working exploits directly from the advisory text.

The flaw affects Langflow 1.8.1 and earlier and allows unauthenticated remote code execution via unsandboxed flow execution in a single crafted HTTP request. Within 24 hours of disclosure, attackers were extracting .env and database files from compromised instances. Langflow has around 145,000 GitHub stars and widespread adoption in the AI development ecosystem.

The fix is to upgrade to Langflow 1.9.0 or later. CISA has given federal agencies until April 8 to patch or stop using the product. If you are running Langflow - or any AI workflow tooling - in a production environment, this is worth reviewing immediately. The broader lesson holds: AI development tooling is increasingly attractive to attackers, and the assumption that internal or staging tools face lower risk is not one to rely on.

Inertia v3 final changes

Pascal Baljet published a summary on March 25 of what changed in Inertia v3 since the first beta. The headline changes are simpler layout props, Vite 8 support, a new withApp callback for customising the root component, and new Blade components for server-side rendering. For teams running Laravel with an Inertia frontend, the post is worth reading before upgrading - there are a handful of API changes from the beta that require attention.

Zero-click prompt injection via browser extensions

A now-patched vulnerability in Anthropic's Claude Chrome Extension demonstrated a zero-click prompt injection attack: any malicious website could silently trigger arbitrary prompt injection against the extension with no user interaction required. The flaw has been fixed, but the attack class is worth understanding.

As developers ship more AI features that interact with browser context - extensions, in-page assistants, browser-integrated agents - the prompt injection surface area grows. Malicious content in a webpage, a document, or an API response can all become attack vectors if the AI tool processes them without appropriate sandboxing. This applies to homegrown tooling as much as to third-party extensions.

In brief

Laravel Cloud added scheduled autoscaling on March 25, allowing teams to define scaling schedules for predictable traffic patterns - peak hours, business hours, overnight batch jobs - rather than relying purely on reactive autoscaling
Inertia v3 stable is out; the changes from beta are smaller than the beta-to-v2 gap was
The OWASP API Security Top 10 (2023 edition) continues to circulate widely as a reference; broken object-level authorisation and server-side request forgery remain the most commonly overlooked items in API implementations

That is the week. Anything we have missed or anything you want us to dig into? Let us know in the comments.