mosparo releases

This release, v1.4.13, is a security release to fix a security issue in the rule package process.

• Fixed an SSRF security issue in the rule package process, found and reported by @pyuysig, Yuming Zhang, and Song Li of Zhejiang University via the security advisories (CVE-2026-41195, GHSA-92fh-26qf-r8rg).
• Updated the translations for multiple languages.

We're thankful for the analysis and reporting by @pyuysig, Yuming Zhang, and Song Li. Thank you for using the security advisories to report the issue to us in private. We're also thankful for all other contributions, like translations.

We recommend to update to v1.4.13 as soon as you can.

Details of the security issue

Description of the security issue

The rule package process allowed redirects and accessing private networks. This can be used to mount an attack on mosparo, especially via the APIs and the web cron job routes. With this method, an attacker can bypass the allowlists configured in mosparo (Administration -> Security settings) and make requests to these routes, even if the allowlists protect them.

Risk assessment

The risk of this security issue in the rule package process is manageable. The attacker cannot use this method to obtain any information from mosparo. All routes except one are protected by authentication. The only directly exposed API is the health check, which provides no data other than the system status. The attacker can only request a route; the response from the request is not visible to the user. The biggest issues with this security issue are two things:

1. It is possible to map the routes and therefore detect the version of a mosparo installation.
2. It is possible to overload the server if the web cron job is active and the attacker knows its secret key.

For an attacker to use this security issue, the following requirements need to be met:

• The attacker needs a non-administrative user in your mosparo installation with the Owner or Editor role. Administrative users (users with the "Is administrator" role) can already see all this information in the administration area and gain no benefit from this method.
• The allowlists need to be configured in the Administration -> Security settings. Otherwise, the routes are exposed to the internet anyway, and there is no benefit in using this security issue (except for accessing the health check API).
• You need to have enabled the web cron job, and the attacker needs to know the secret key for it; otherwise, overloading the web server by calling it is not possible.

Changes to mitigate the security issue

The following changes resolve the security issue:

• Redirects are no longer followed, and private networks are no longer accessible by the rule package process. This solves the problem completely because, for the attack method, the process must follow the redirects.
• A non-administrative user will no longer see the exact error message when adding a rule package. The user will see an error message, but the message is the same across all error cases.
• A minimum refresh interval of 1 hour is applied to all rule packages, making this attack method even more unusable.

It is possible to allow redirects and access to private networks, and to adjust the minimum refresh interval using newly added environment variables.

With the release of version 1.4.13, we're applying new default values that prevent redirects and private network access, enforce a minimum refresh interval, and replace specific error messages with general ones for non-administrative users.

This release contains a security bug fix, a small enhancement, and a UI fix.

• Since version 1.4.0, the field value has not been properly escaped, which could lead to a potential XSS issue.
• On the submission detail page, we added two buttons to navigate to the newer and older submissions. Suggested by Pink_Imagination
• Fixed a small UI issue with icons in buttons
• Updated the translations.

Version 1.4.11 is a maintenance release that updates all backend dependencies and fixes a typo.

• Updated symfony/process to mitigate CVE-2026-24739 on Windows, reported by @Tekka27
• Updated all the other backend dependencies
• Fixed a small typo in one of the strings, reported by @ExeQue

Thank you very much for your reports and help to make mosparo better!

The release v1.4.10 is a bug fix and a (minor) enhancement release. It includes three bug fixes and a rule type enhancement.

• Added two new subtypes for the Word rule type: "Exact word" and "Entire field". Suggested and inspired by @winkelement in #382. Learn more about these in the documentation: https://documentation.mosparo.io/docs/usage/rule_types#exact-word
• Using 0.0 as a rating value for a rule item was not correctly processed. Reported by @winkelement in #391.
• Fixed an undefined variable in the import process.
• Added a special validation for too high subnet suffixes in the rule editor.

Thank you, @winkelement, and all our other contributors, for your contributions!

In this version, we fixed an issue with the standard Docker image and updated the translations.

• Fixed an issue with the standard Docker image with the public/resources directory, introduced in the last version (v1.4.8). Reported by @softlion in #388.
• Updated the Italian and Polish translations provided by our contributors.
• Fixed the name "mosparo" in some of the translation files.

Thank you for your contributions and help in making mosparo better!

With this version, we've fixed a deadlock issue and updated the translations.

• Fixed a deadlock exception in the form validation API. The deadlock occurred when a bot (most likely) tried to validate the form data multiple times simultaneously using the same submit token. With this release, we've split the problematic query so that the deadlock cannot happen again. Reported by demon_ru in the WordPress support forum.
• Updated the translations for Italian, Korean, and Slovenian. Thank you for your contributions!

This release is a bug-fix release that fixes three bugs.

• Fixed the incorrect handling of lowercase values in the validation process, which incorrectly ignored rule items because of the different cases. Reported by @GeorgBNM in #367/#380
• Fixed the wrong use of the native client if two curl functions are not available. Found when solving #365
• Added the missing rewrite rule to fix the update functionality if the document root of the host is not set to the public directory. Reported by @mpaglia0 in #365

Thank you very much for reporting these issues!

Version 1.4.6 is a bugfix release that includes two bugfixes and a translation update.

• Added the required logic to only store the relevant information in the session to prevent errors 500s when trying to store too much information. Reported by @andrevabo in #373
• Added a better method to solve the PoW puzzle in a non-blocking way. Reported by @Sapper-Morton in #376
• Updated the backend and validators translations for Czech.

Thank you very much for your bug reports and contributions.

Version 1.4.5 is a maintenance release that includes two bug fixes, a minor enhancement, updated backend dependencies, and additional backend translations.

• Fixed an issue that occurred when adding multiple invalid items simultaneously.
• Added the time to the XHR requests in the update process to bypass the browser cache (#365). Reported by @mpaglia0
• Added the functionality to adjust the page size in the rule item editor (#366). Suggested by @winkelement
• Updated all backend dependencies.
• Updated the backend translations.

Thank you very much for all your contributions!

This maintenance release includes a bug fix for the rule tester logic and an update for the French translations.

• Fixed the bug where mosparo used disabled rules and rule packages to validate a submission. Reported by @winkelement in #364
• Updated the French translations for frontend, backend, and validators. Provided by Bamowen via Weblate

Thank you very much for all your contributions and feedback!

Version 1.4.3 is a bug fix and performance update to the cleanup logic.

• Fixed a bug where the cleanup logic attempted to delete a submit token that was still in use in a submission.
• Added a delay to reduce the chance of multiple executions of the cleanup logic at the same time.
• Added four new environment variables to reduce data retention periods and adjust the cleanup intervals.
• Removed a long-lasting (and probably never-ending) cleanup method, which had no real effect after fixing the bug with the deletion of the still-required submit token.
• Adjusted the submission list filter to filter out submissions without a submit token.

Thank you, Mauricio and team, for your feedback on using mosparo in a high-traffic environment.

This new version is a performance update for mosparo, mainly adding additional database indexes.

• Adding a significant index for submit tokens to reduce database CPU load in high-load mosparo setups drastically. Reported by email from Mauricio and team.
• Adding other indexes to other entities to speed up the queries.
• Updated the frontend translations for Croatian (Thank you, @milotype) and the backend translations for Italian (Thank you, @mpaglia0).

This version fixes a logic issue introduced in version 1.4.0.

• Fixed a logic issue with the cleanup statistic, which generated an error 500 when requesting a submit token. Reported by @SuitDeer in #358

Thank you, @SuitDeer, for reporting this issue.

The new version of mosparo, v1.4, is released today. The latest version contains the following features, changes, and bug fixes:

• Refactoring rules (#339). Suggested by @StrangerGithuber
• Refactoring rulesets (#332). Suggested by @Digi92
• Optimize form data validation (#340)
• Cache rules and rule packages (#335)
• Add verification issues in the verification detail view (#344). Inspired by @thelfensdrfer
• Mark invisible characters in form values in the submission data (#328). Suggested by @thelfensdrfer
• Add option to disable spam detection in security policy (#329). Suggested by @thelfensdrfer
• Add checkbox design settings (#341). Inspired by @camlafit
• Add cleanup history (#323). Inspired by @Digi92
• Multiple cleanup executions caused by invalid cache configuration (#349). Reported by @Digi92

You can find all the details about the new version here: https://mosparo.io/2025/07/17/new-features-changes-in-version-1-4/

Please report any potential bugs or problems as new issues on GitHub.

With this new version, we've fixed two issues and updated the translations.

• Fixed a bug with the block equal submission security feature. Before this version, the feature did not correctly block equal submissions when the website's backend sent too many fields to the verification API. Reported by @gnieser in #348
• Fixed a logic bug with the encrypted MySQL connection when the server certificate should not be verified. Found in connection with #348
• Updated the Bulgarian and Dutch translations. Thank you very much for the translations!

Version 1.3.7 is a maintenance release and contains two fixes and additional translations for the frontend.

• Fixed a bug with the IP localization caching. mosparo did not use the cache at all due to a faulty SQL query.
• Fixed a bad migration from v1.3.0. The MySQL migration to add the required tables for the project groups was not correctly creating the table in some cases, and the installation ended in an exception. The exception was ignored, and nobody noticed it. The adjusted migration will resolve these issues and correctly reinitialize the table.
• Added and updated the frontend translations for multiple languages. Thank you to all the translators for their contributions!