Skip to content

Release history

Cockpit releases

Simple content platform to manage any structured content.

Back to tool Latest release

All releases

4 shown

2.14.0 Security relevant
Security fixes
  • CVE-2024-XXXXX — Fix Bucket path traversal vulnerability.
Notable features
  • Custom ACL permission expression via ScriptLite
  • `meta.computed` ScriptLite support for save-time computed fields
Full changelog
  • Improve KISS components
  • MongoLite: Restrict query callbacks ($func, $fn, $f, $where, direct criteria callbacks) to anonymous closures only
  • Improve logging utility: validate log type and enhance context handling
  • Add support for custom ACL permission expression (via ScriptLite)
  • Content: Add meta.computed ScriptLite support for save-time computed fields
  • Fix Bucket path traversal vulnerability
  • Enhance SVG file handling during uploads
  • Improve Thumbhash class with enhanced validation and error handling
  • MongoLite: Optimize sorting performance
  • Content: Validate and enforce ACL permissions on $lookup stages in aggregate pipeline
  • Harden session cookie handling: enforce HttpOnly, auto-detect Secure, validate SameSite, and support configurable cookie params via session.cookie
  • Sanitize display values in field-select and field-tags components to prevent XSS
View release on GitHub
2.13.5 Security relevant
Security fixes
  • CVE‑XXXX‑XXXXX — Fix stored XSS vulnerability in user profile twofa.secret field
Notable features
  • Support for PHP 8.5+ compatible custom SQLite functions via IndexLite lib
  • Add `identi.callback.data` event trigger
  • Add ScriptLite lib to run sandboxed ECMA Script subset code
Full changelog

  • Add support for PHP 8.5+ compatible custom SQLite functions (IndexLite lib)
  • Add identi.callback.data event trigger
  • MongoLite: Refactor equality checks with matchesDirectValue helper method
  • Add ScriptLite lib to support run sandboxed ECMA Script subset code
  • MongoLite Aggregation Optimizer: Escape identifiers and JSON paths to ensure safe usage in SQL queries
  • Tower: Prevent shell injection by using Process array form
  • Fix stored XSS vulnerability in user profile twofa.secret field
View release on GitHub
2.13.4 Breaking risk
Security fixes
  • Fix prevents super‑admin from deleting files outside Cockpit's directory
Notable features
  • Dry-run option added to CLI update command
  • Logging added to the update process
Full changelog
  • Remove ReflectionMethod::setAccessible() calls (deprecated since PHP >=v8.5)
  • Fix deprecated non-canonical cast usage
  • Add a dry-run option to the CLI update command and add logging to the update process
  • Refactor MongoLite + add support for more MongoDB aggregation operators
  • Fix the possibility to delete files outside of Cockpit as super admin
  • Fix Async code generation
View release on GitHub
2.13.3 Security relevant
Security fixes
  • Fix vulnerabilities in MongoLite QueryOptimizer and content aggregation API (reported by DQH1)
Notable features
  • Add `--translate` option to `app:i18n:create` command
  • Enhance DotEnv parsing for quoted, multiline, and typed values with circular reference detection
Full changelog
  • Micro performance improvements by explicitly marking global functions in a namespace context
  • Add --translate option to app:i18n:create command and refactor string extraction
  • Improve JSON viewer dialog
  • Enhance DotEnv parsing to support quoted, multiline, and typed values, and improve variable resolution with circular reference detection.
  • Improve SVG sanitization on upload
  • Fix vulnerabilities in MongoLite QueryOptimizer and content aggregation api @DQH1

Thanks to DQH1 for responsibly reporting critical security issues.

View release on GitHub

Beta — feedback welcome: [email protected]