Skip to content

REDAXO

v5.21.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

cms php redaxo simple

Affected surfaces

auth rbac

ReleasePort's take

Moderate signal
editorial:auto 2d

REDAXO 5.21.1 hardens media‑pool file uploads by blocking restricted extensions anywhere in the filename and tightens API authorization checks for user categories and languages.

Why it matters: The update blocks extension bypasses (severity 90) and enforces correct permission checks (severity 85), directly mitigating injection and privilege‑escalation risks in affected surfaces.

Summary

AI summary

Updates Bugfixes, @gharlan, and Systemlog-Page across a mixed release.

Changes in this release

Security Critical

Blocks extensions at any filename position, fixing bypass (e.g., foo.php.any.jpg)

Blocks extensions at any filename position, fixing bypass (e.g., foo.php.any.jpg)

Source: llm_adapter@2026-06-01

Confidence: high
Security High

API functions now correctly enforce user category and language permissions

API functions now correctly enforce user category and language permissions

Source: llm_adapter@2026-06-01

Confidence: high
Feature Low

Adds `ignoreUnreadableDirs` method to `rex_finder` for race‑condition safety

Adds `ignoreUnreadableDirs` method to `rex_finder` for race‑condition safety

Source: llm_adapter@2026-06-01

Confidence: high
Deprecation Low

Removes deprecated `imagedestroy` call from media_manager

Removes deprecated `imagedestroy` call from media_manager

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Medium

Prevents crash on malformed log lines in Systemlog page

Prevents crash on malformed log lines in Systemlog page

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Low

Resolves deprecated message in Mediapool search

Resolves deprecated message in Mediapool search

Source: llm_adapter@2026-06-01

Confidence: high
Bugfix Low

Enables status toggle in Metainfo sidebar for users with multiple mountpoints

Enables status toggle in Metainfo sidebar for users with multiple mountpoints

Source: llm_adapter@2026-06-01

Confidence: high
Full changelog

REDAXO-Core 5.21.1 – 01.06.2026

Bugfixes

  • Systemlog-Page: Crash vermeiden bei fehlerhaften Logzeilen (@tyrant88)
  • rex_finder: Neue Methode ignoreUnreadableDirs um z.B. Race Conditions beim Cache löschen zu lösen (@gharlan)

mediapool 2.18.1 – 01.06.2026

Security

  • Geblockte Extensions werden wieder an beliebiger Position im Dateinamen geblockt (z.B. in foo.php.any.jpg) (gemeldet von @riodrwn) (@gharlan)

Bugfixes

  • Deprecated-Message in Mediapool-Suche aufgelöst (@gharlan)

structure 2.20.1 – 01.06.2026

Security

  • In den API-Functions wurden die Kategorie- und Sprach-Berechtigungen des Users nicht überall korrekt berücksichtigt (@gharlan)

media_manager 2.18.1 – 01.06.2026

Bugfixes

  • Deprecated imagedestroy wird nicht mehr aufgerufen (@gharlan)

metainfo 2.12.1 – 01.06.2026

Bugfixes

  • Status-Toggle in Metainfo-Sidebar funktionierte nicht bei Usern mit mehreren Mountpoints (@isospin)

Security Fixes

  • Blocks blocked extensions at any position in filenames (e.g., foo.php.any.jpg)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track REDAXO

Get notified when new releases ship.

Sign up free

About REDAXO

Simple, flexible and useful content management system (documentation in German).

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]