Atlas Edition 5.2.6 Switch to the latest release
Published on: 16/06/2025
Announcing Mautic 5.2.6: Atlas Edition
πSecurity release
This release addresses several security issues. Please update at your earliest convenience after taking a backup and ensuring that it's working.
π Security fixes
- CVE-2025-5257 - Predictable Page Indexing Might Lead to Sensitive Data Exposure - Reported and fixed by @lenonleite and tested/reviewed by @escopecz and @kuzmany in GHSA-cqx4-9vqf-q3m8
- CVE-2024-47056 - Mautic does not shield .env files from web traffic - Reported by @r3ky, analyzed by @lenonleite fixed by @nick-vanpraet and tested/reviewed by @patrykgruszka in GHSA-h2wg-v8wg-jhxh
- CVE-2024-47057 - User name enumeration possible due to response time difference on password reset form - Reported and fixed by @tomekkowalczyk and reviewed by @patrykgruszka and @nick-vanpraet in GHSA-424x-cxvh-wq9p
- CVE-2024-47055 - Segment cloning doesn't have a proper permission check - Reported and fixed by @abhisekmazumdar and @nick-vanpraet and tested/reviewed by @patrykgruszka in GHSA-vph5-ghq3-q782
- CVE-2025-5256 - Open Redirect vulnerability on user unlock path - Reported and fixed by @tomekkowalczyk, tested/reviewed by @patrykgruszka and @nick-vanpraet in GHSA-6vx9-9r2g-8373
- Phpspreadsheet upgrade by @escopecz in #15016
- SQL queries constructed with string concatenation [security] by @levente999 in #15040
What's Changed
π Bugs
π Reports
- Fix report data bool filter by @AlanWierzchonCA in #14909
π Segments
- Fix segment dependency tree UI by @patrykgruszka in #15028
π§β𦱠Contacts
- Use u.loginName instead of r.name to order by login name by @Dominic-Mayers in #14982
π± Categories
- The "Type" field is missing after saving an unfilled form #14168 by @levente999 in #14445
π Emails
New Contributors
- @Dominic-Mayers made their first contribution in #14982
Full Changelog: 5.2.5...5.2.6
SHA1(5.2.6.zip)= 66b8ea5d2fa21a61e247af3c1cfbe2e5f94974b7
SHA1(5.2.6-update.zip)= 3ffd25c5f77d5016cdb544653469c1f104243dbb