Magnolia 5.7 reached extended end of life on May 31, 2022. Support for this branch is limited, see End-of-life policy. Please note that to cover the extra maintenance effort, this EEoL period is a paid extension in the life of the branch. Customers who opt for the extended maintenance will need a new license key to run future versions of Magnolia 5.7. If you have any questions or to subscribe to the extended maintenance, please get in touch with your local contact at Magnolia.

Magnolia CMS 5.7.20 is the first Extended end-of-life (EEoL) maintenance release, which brings bug fixes and security updates.

We keep the details of security fixes private in line with our security policyContact our Support team if you need more information.

Should you require access to the updates of 5.7 under the EEoL conditions, please contact your sales representative.

Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

  • Tika updated to 1.28.4 (BUILD-813).
  • oEmbed client updated to 0.9-BUILD-828 (BUILD-828).
  • Jackrabbit updated to 2.18.6, PDFBox to 2.0.26 and Apache POI to 5.2.2 (BUILD-834).
  • COS replaced with Commons FileUpload (MAGNOLIA-8448).
  • The Workflow module version was bumped to 5.8 due to a considerable version leap in jBPM (from 6.4.0 to 7.70.0).
    (info) There may be some breaking API changes but they should be limited mostly to internal classes (MGNLWORKFLOW-411).


If you are upgrading from an earlier version, read Upgrading to Magnolia 5.7.x first and check the Known issues section on the page.

Disclosing potentially sensitive information in magnolia-tomcat-barebone

The magnolia-tomcat-barebone will not display potentially sensitive information, such as details about errors or server type and version.

For more information and configuration details, see Tomcat configuration: Disclosing potentially sensitive information.


Upload fields more secure

To prevent XSS exploits, we have hardened the upload functionality in this release.


REST endpoints always use @Produces when @PathParam is used

To prevent an XSS flaw in RESTEasy 3.15.3.Final, some endpoint commands that do not produce JSON nor XML will now specify the  text/plain  media type by default to represent a resource that can be produced and sent back to the client.



See the 5.7.20 changelog for all the changes.

Updated modules

  • Barebones Tomcat Bundle 1.1.10
  • Community Edition 5.7.20
  • Enterprise Edition 5.7.20
  • Magnolia 5.7.20
  • Mail 5.5.13
  • REST Framework 2.1.8
  • Third-party library BOM 5.7.20
  • UI 5.7.20
  • Workflow 5.8


The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Special thanks go to Giulio Garzia "Ozozuz".

  • No labels