Magnolia CMS 6.1.8 brings a number of improvements and security updates. This is the last maintenance release in the 6.1 branch, which reached end of life on March 31, 2021.

Shortly after 6.1.8, the REST module has been released to fix some security vulnerabilities. We recommend that you update to version 2.1.7 of the module.

Strategies for bootstrapping content for content types

In the Content Importer module, you can use the new magnolia.content.bootstrap.onlyImportAtInstall and magnolia.content.bootstrap.createTasks properties to configure a content bootstrapping strategy.

Example configurations:

  • onlyImportAtInstall=true and createTasks=always: the most restrictive strategy. Content is bootstrapped only at installation, not at every instance startup. No content is bootstrapped automatically.

  • createTasks=onchange: the most permissive strategy. Content is bootstrapped automatically if the path does not exist in JCR. If the path exists, a task is created.

  • createTasks=never: content is bootstrapped at every startup and after every change.

The default configuration is onlyImportAtInstall=false and createTasks=always.

Possible values for createTasks are always, onchange and never.


The REST module 2.1.7 has been released separately to fix some security vulnerabilities. We recommend you update to this latest version of the module.

Deprecated Content API class replaced

In the Marketing Tags module, the PropertyValueDelegateTask class of the legacy Content API has been replaced with ValueOfPropertyDelegateTask.


Third-party library updates

This release comes with the following third-party library updates to fix some security and compatibility issues:

  • Commons IO updated to 2.8 (BUILD-456).
  • Groovy updated to 2.5.14 (BUILD-427).
  • Guava updated to 30.1-jre (BUILD-429).
  • jQuery and jQuery Migrate updated to 3.6.0 and 3.3.2 respectively (MGNLUI-6634).
  • PDFBox updated to 2.0.23 (BUILD-442).
  • RESTEasy and Jackson Databind updated to 3.15.1.Final and 2.11.3 respectively (BUILD-463).
  • Tika updated to 1.26 (BUILD-451).
  • XStream updated to 1.4.15 (BUILD-428).

We keep the details of security-related fixes private in line with our security policyContact our Support team if you need more information.

Security advisory

We have fixed a few XSS vulnerabilities with this release. We keep the details of those fixes private in line with our security policyContact our Support team if you need more information.

MGNLREST-299, MGNLUI-6584 (restricted access)


If you are upgrading from an earlier version, read the Upgrading to Magnolia 6.1.x page first and check the Known issues page.


See the 6.1.8 changelog for all the changes.

Updated modules

  • Community Edition 6.1.8
  • Content Editor 1.3.6
  • Content Importer 1.0.4
  • DX Core 6.1.8
  • Form 2.5.6
  • Imaging 3.4.4
  • JavaScript Models 1.1.2
  • License 1.7.3
  • Magnolia 6.1.8
  • Mail 5.5.7
  • Marketing Tags Manager 1.4.3
  • Publishing 1.2.5
  • Publishing Transactional 1.0.8
  • Scheduler 2.3.5
  • Third-party library BOM 6.1.8
  • UI 6.1.8


The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better. Special thanks go to Marc Johnen, Marek Lesiak, David Martin, Cedric Reichenbach, Ruth Stocks and Andrey Zavodnik.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels