v4.4.23
Note
Security patch: Addresses penetration test findings and resolves high-severity SCA vulnerabilities across all products.
Common
| Change Type | Description |
|---|---|
| Security | Security hardening: Several security improvements have been applied across all products: • Resolved unauthenticated access to certain internal API endpoints • Improved input sanitization to prevent injection vulnerabilities • Hardened HTTP response headers to reduce information disclosure • Error responses no longer expose internal application details |
| Security | Product security and stability: We've mitigated several high-severity SCA vulnerabilities by upgrading the corresponding NuGet and npm packages: • CVE-2026-32933: Upgraded Entity Framework from 7.0 to 8.0.20 and Breeze from 7.1.0 to 7.5.0 in App Designer as a prerequisite for the HealthChecks.UI 8.x upgrade • CVE-2026-32933: Upgraded AspNetCore.HealthChecks.UI and related packages from 6.x to 8.x in App Designer, Data Stream Designer, and XMPro AI, removing transitive AutoMapper 9.0 dependency • CVE-2026-32933: Removed AutoMapper 5.0 dependency in Subscription Manager and replaced with plain C# mapping • CVE-2023-26136: Overrode tough-cookie to 4.1.3 in Subscription Manager • CVE-2025-7783: Overrode form-data to 4.0.4 in Subscription Manager • CVE-2024-4068: Overrode braces to 3.0.3 in Subscription Manager • CVE-2026-4599: Overrode jsrsasign to 11.1.0 in Subscription Manager • CVE-2020-11022 / CVE-2020-11023: Upgraded jQuery from 3.2.1 to 3.5.0 in Subscription Manager • CVE-2021-32803: Overrode tar to 7.5.10 in App Designer • CWE-1321: Overrode unset-value to 2.0.1 in Subscription Manager to resolve Prototype Pollution • Removed unused npm dependencies and NuGet packages in App Designer to reduce attack surface |
| Documentation | AI-Powered Documentation Assistant: The XMPro documentation site now includes an AI-powered assistant to help you find answers faster. |
App Designer
| Change Type | Description |
|---|---|
| Fix | When importing a large application (file size greater than ~195 MB), the upload fails silently with no error or feedback. The web.config request size limit was incorrectly set below 200 MB, causing a silent 413 error. The limit has been corrected to 200 MB, and a clear error message is now shown when exceeded. |
| Performance | App pages performance: Replaced the earlier short-term ToListAsync workaround with the long-term fix from Breeze 7.3.0+ (upgraded to 7.5.0) in App Designer. No change in user-facing responsiveness. |
Last modified: May 01, 2026