Cockpit

Productivity & Wikis

Headless content management system that lets you build any frontend‑driven application with flexible content models and modern APIs

PHP Latest 2.14.0 · 2mo ago Security brief →

Features

View all 4 releases →

2.14.0 Security relevant 2mo

Security fixes

Notable features

Full changelog

Improve KISS components
MongoLite: Restrict query callbacks ($func, $fn, $f, $where, direct criteria callbacks) to anonymous closures only
Improve logging utility: validate log type and enhance context handling
Add support for custom ACL permission expression (via ScriptLite)
Content: Add meta.computed ScriptLite support for save-time computed fields
Fix Bucket path traversal vulnerability
Enhance SVG file handling during uploads
Improve Thumbhash class with enhanced validation and error handling
MongoLite: Optimize sorting performance
Content: Validate and enforce ACL permissions on $lookup stages in aggregate pipeline
Harden session cookie handling: enforce HttpOnly, auto-detect Secure, validate SameSite, and support configurable cookie params via session.cookie
Sanitize display values in field-select and field-tags components to prevent XSS

2.13.5 Security relevant 2mo

Security fixes

CVE‑XXXX‑XXXXX — Fix stored XSS vulnerability in user profile twofa.secret field

Notable features

Full changelog

Add support for PHP 8.5+ compatible custom SQLite functions (IndexLite lib)
Add identi.callback.data event trigger
MongoLite: Refactor equality checks with matchesDirectValue helper method
Add ScriptLite lib to support run sandboxed ECMA Script subset code
MongoLite Aggregation Optimizer: Escape identifiers and JSON paths to ensure safe usage in SQL queries
Tower: Prevent shell injection by using Process array form
Fix stored XSS vulnerability in user profile twofa.secret field

2.13.4 Breaking risk 4mo

Security fixes

Notable features

Full changelog

Remove ReflectionMethod::setAccessible() calls (deprecated since PHP >=v8.5)
Fix deprecated non-canonical cast usage
Add a dry-run option to the CLI update command and add logging to the update process
Refactor MongoLite + add support for more MongoDB aggregation operators
Fix the possibility to delete files outside of Cockpit as super admin
Fix Async code generation

2.13.3 Security relevant 4mo

Security fixes

Fix vulnerabilities in MongoLite QueryOptimizer and content aggregation API (reported by DQH1)

Notable features

Add `--translate` option to `app:i18n:create` command
Enhance DotEnv parsing for quoted, multiline, and typed values with circular reference detection

Full changelog

Micro performance improvements by explicitly marking global functions in a namespace context
Add --translate option to app:i18n:create command and refactor string extraction
Improve JSON viewer dialog
Enhance DotEnv parsing to support quoted, multiline, and typed values, and improve variable resolution with circular reference detection.
Improve SVG sanitization on upload
Fix vulnerabilities in MongoLite QueryOptimizer and content aggregation api @DQH1

Thanks to DQH1 for responsibly reporting critical security issues.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.