Download Latest Version
Release of Exponential 6.0.13 (From 7x) source code.tar.gz (22.9 MB)
Get an email when there's a new version of Exponential 6 Content Management System
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-04-20 | 5.9 kB | |
| Release of Exponential 6.0.13 (From 7x) source code.tar.gz | 2026-04-20 | 22.9 MB | |
| Release of Exponential 6.0.13 (From 7x) source code.zip | 2026-04-20 | 28.8 MB | |
| v6.0.13 - Release of Exponential 6.0.13 (From 7x) source code.tar.gz | 2026-04-20 | 22.9 MB | |
| v6.0.13 - Release of Exponential 6.0.13 (From 7x) source code.zip | 2026-04-20 | 28.8 MB | |
| Totals: 5 Items | 103.5 MB | 0 | |
Release of Exponential 6.0.13 (From 7x)
Official stable release of Exponential 6.0.13 (Stable).
Release date: 2026.04.20.
What's Changed / What's New (Since Exponential 6.0.12)
The main themes of this release are Security Hardening, PHP 8 Compatibility Fixes, SQLite3 Driver Improvements, New Template String Operators, and an upgraded PHPUnit v13 Test Suite.
Security Fixes (Critical — PR [#60]: security-hardening-exp-6013)
• SEC [SEC-01..06]: Fix SQL injection and OS shell injection — 4 files patched, 6 attack surfaces closed. Parameterised queries and shell-argument escaping applied to previously vulnerable call sites.
• FIX [UND-01..03, LOG-01..02, NUL-01..13, PRG-01]: Null/undefined guards and logic corrections — 12 files hardened against undefined-variable and null-dereference conditions that could lead to information disclosure or logic-bypass under PHP 8.
• PHP84 [PHP-01..03, NUL-04..05]: PHP 8.4 deprecation fixes + order null guards — 2 files updated to resolve deprecation warnings introduced in PHP 8.4.
• FIX [IMP-01..02, SET-01..06, KNT-01..12]: SOAP stubs, setup wizard guards, kernel/content null safety — 20 files updated; covers SOAP response stubs, setup-wizard input validation, and kernel/content-object null-safety checks.
Session / PHP 8 Compatibility
• fix(ezsession): PHP 8 compat — read() now returns '' (empty string) instead
of false; gc() correctly uses time() + gcStartTime for session lifetime
calculation. Eliminates type-error fatals on PHP 8.
• fix(ezsession): PHP 8 — guard $GLOBALS['eZCurrentAccess'] before access —
prevents undefined-index warnings / fatals when the global is not yet initialised
during early-bootstrap session handling.
SQLite3 Driver Improvements
• SQLite3: register eZSQLite3DB autoload + support absolute DB path — The
SQLite3 database driver now registers its autoload entry correctly and accepts an
absolute filesystem path for the database file, enabling use outside the default
var/ tree.
• fix(sqlite3): use recursive mkdir when creating SQLite3 DB directory —
Prevents a fatal error when intermediate directories do not exist on first-run
installations.
New Template Operators (Feature)
• Added: rstring, ristring, and many other PHP string operators as template
operators — A broad set of PHP string-manipulation functions (rstring,
ristring, str_pad, wordwrap, chunk_split, str_word_count,
number_format, sprintf wrappers, and more) are now available directly inside
Exponential templates. Feature Addition.
PHPUnit / Test Suite Upgrades (PR [#61]: upgrade-phpunit-tests-to-phpunit10)
• TEST [PHPUnit-10, SEC-01..06]: Add PHPUnit 10 test infrastructure and security hardening suite — 6 new test files covering the SEC-01..06 attack surfaces closed in this release.
• Updated: Upgraded PHPUnit test suite support to v13 — phpunit.xml and
test bootstrap updated for PHPUnit 13 compatibility.
• Updated: Version bump for PHPUnit to avoid composer security advisory —
Resolves a composer installation warning/block caused by a published security
advisory against the previously pinned PHPUnit version.
Documentation
• DOC [SEC-01..06, NUL-01..14, PHP-01..03, UND-01..03, LOG-01..02, SET-01..06,
KNT-01..12, IMP-01..02, PRG-01]: Add security hardening reference —
hardening.md (1,176 lines) documents every patch reference code, the
vulnerability class, affected file(s), and the fix applied.
• DOC: Add PHPUnit 3.7→10 migration guide — doc/phpunitv10.md added as a
developer reference for upgrading legacy test suites.
• DOC: Document PHP version compatibility — Explicit statement that the 6.0.13 patch set does not raise the minimum PHP version requirement.
• Updated: README — Distribution count updated, Exponential Platform / Nexus version details added, issue tracker links revised, Telegram community link fixed.
Infrastructure / Project
• chore: add GitHub Sponsors funding metadata — .github/FUNDING.yml added to
enable sponsorship via GitHub Sponsors.
• Updated: .htaccess_root rebranding — Comments inside the example root
.htaccess configuration file updated to reflect current Exponential branding.
• Updated: Patched a fatal flaw in the client calling API for curl requests — Curl client wrapper corrected; tested as working. Bugfix.
Notable Changes (Since eZ Publish 5)
Refer to prior release notes for the full historical feature list.
Key milestones still included in this build:
• Security: 6 SQL-injection / OS-shell-injection attack surfaces closed (this release)
• PHP 8.4 / 8.5 support (ongoing since 6.0.8)
• SQLite3 database driver (new this release)
• PHPUnit 13 test suite (new this release)
• REST API v2 (CRUD) support (since 6.0.9)
• PostgreSQL 17 setup-wizard support (since 6.0.10)
• Admin3 responsive admin design
• Multi-site INI override and cache-handling improvements (since 6.0.12)
• has_role / has_policy template & PHP operators (since 6.0.12)
Contributors
@se7enxweb
Full Changelog: https://github.com/se7enxweb/exponential/compare/v6.0.12...v6.0.13
Download Exponential 6 Content Management System
