diff --git a/core/base/Dockerfile b/core/base/Dockerfile
index 5e3ad092..2f49c5ad 100644
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@@ -27,7 +27,7 @@ CMD /bin/bash
 FROM system as build
 
 ARG MAILU_DEPS=prod
-ARG SNUFFLEUPAGUS_VERSION=0.10.0
+ARG SNUFFLEUPAGUS_VERSION=0.11.0
 
 ENV VIRTUAL_ENV=/app/venv
 
diff --git a/towncrier/newsfragments/3647.misc b/towncrier/newsfragments/3647.misc
new file mode 100644
index 00000000..73400fb8
--- /dev/null
+++ b/towncrier/newsfragments/3647.misc
@@ -0,0 +1 @@
+Upgrade to snuffleupagus 0.11, filter php:// wrapper types
diff --git a/webmails/snuffleupagus.rules b/webmails/snuffleupagus.rules
index 3d4713f8..ba6947e8 100644
--- a/webmails/snuffleupagus.rules
+++ b/webmails/snuffleupagus.rules
@@ -26,6 +26,8 @@ sp.readonly_exec.enable();
 # PHP has a lot of wrappers, most of them aren't usually useful, you should
 # only enable the ones you're using.
 sp.wrappers_whitelist.list("file,php,phar,mailsosubstreams,mailsoliteral,mailsotempfile,mailsobinary");
+# The "php" wrapper can be further filtered: we probably don't want 'filter' nor 'fd'
+sp.wrappers_whitelist.php_list("stdout,stdin,stderr,input,output,memory,temp");
 
 # Prevent sloppy comparisons.
 sp.sloppy_comparison.enable();