Release notes for Magnolia CMS 6.3.9

LTS release • Delivered on June 2, 2025 • Changelog: 17569

Magnolia 6.3.9 enhances the Magnolia CMS experience with significant improvements and bug fixes.

The MgnlLink plugin for CKEditor 5 now supports rel and target attributes for secure link handling and custom styling. Other improvements include optimized Jackrabbit index repair, a Jackrabbit patch, and aligning the Magnolia REST implementation with the newer RFC 9457 (Problem Details for HTTP APIs).

Key bug fixes address issues like duplicate CSRF cookies, asset upload errors, and incorrect property inheritance in components.

We keep the details of security fixes private in line with our security policy. Contact our Support team if you need more information.

Improvements

Enhanced MgnlLink plugin decorations in CKEditor 5

The MgnlLink plugin for the CKEditor 5 in Magnolia now supports adding rel and target attributes to open links in a new tab with security settings (noopener noreferrer). Custom decorations, such as styling links with colors, are also supported.

The rel and target decoration is included by default in Magnolia ckeditor5-build since this release.

Other improvements

Bug fixes

  • MAGNOLIA-9080 Duplicate CSRF cookies after server side forward

  • MAGNOLIA-9399 Charset set for Content-Type header in responses for assets

  • MAGNOLIA-9460 BasicLogin handler doesn’t filter out Bearer authentication

  • MGNLDAM-1762 NPE when multi-uploading assets under some circumstances

  • MGNLRES-423 Deleting an already published item doesn’t work

  • MGNLREST-844 Reference resolvers don’t respect the workspace ACL bypass

  • MGNLSITE-227 Components incorrectly inheriting properties/content from prototypes

  • MGNLTAGS-127 Page Template setting isn’t working

  • MGNLUI-9189 Image source preview in UploadField not updated after uploading a file with the same

Miscellaneous

Others

Resolved: Magnolia CLI overlay webapp download issue

Prior to this release, the jumpstart plugin in the Magnolia CLI v5 and the CLI v4 jumpstart command weren’t downloading the expected webapps from the Nexus repository (for example magnolia-dx-core-webapp-6.3.8-overlay.war instead of magnolia-dx-core-webapp-6.3.8.war).

For CLI v5, this issue has been fixed with JIRA ticket MGNLCLI-391 Use maven.classifier param when searching for webapps in Nexus.

To apply the fix, you should update to the latest Magnolia CLI version. Use the CLI with npx to automatically fetch and use the latest version:

npx @magnolia/cli@latest jumpstart

There’s also a fix for CLI v4, NPMCLI-317 -overlay webapps are downloaded instead of normal ones. However, CLI v4 reached end-of-life (EOL) on April 16, 2025.

Reminder about the templateScript templating property

The templateScript templating property isn’t supported for SPA in Magnolia 6.3. Use baseUrl and routeTemplate instead.

The property was deprecated with version 6.2.26 of the Pages module.

For more details, see the following render types for template definitions:

Updated modules

Bundled modules included with this release.

  • Barebones Tomcat Bundle 1.2.36

  • CKEditor 5 Build 1.0.5

  • Community Edition 6.3.9

  • DAM 4.0.7

  • DX Core 6.3.9

  • Demo Projects 6.3.9

  • Magnolia 6.3.9

  • Marketing Tags Manager 3.0.2

  • REST Framework 3.1.0

  • Resources 4.0.3

  • Security 7.0.3

  • Site 2.0.2

  • Task Management 2.0.1

  • Third-party library BOM for Extensions 6.3.9

  • Third-party library BOM 6.3.9

  • UI 6.3.9

Unbundled modules

Unbundled modules released since Magnolia 6.3.8.

Acknowledgements

The Magnolia team would also like to thank everyone who reported issues, contributed patches or simply commented on issues for this release. Your continued interest helps us make Magnolia better.

Feedback

DX Core

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules