EximeeBPMS 1.2.x Enterprise Edition Release Notes

Edition: Enterprise  |  Baseline: EximeeBPMS 1.2.0 CE


1.2.18-ee

Release date: 16.06.2026

Highlights

  • Spring Framework 7.0.7 and Tomcat 10.1.55 security updates (9 CVEs resolved)
  • Removed legacy Tomcat 9 and WildFly 26 from the build matrix
  • Jakarta EL API 6.0.1 and Quarkus 3.36.1 upgrades

Technical Updates

Dependency Updates

DependencyPreviousUpdated
Spring Boot4.0.34.0.6
Spring Framework7.0.57.0.7
Tomcat 1010.1.5010.1.55
Jakarta EL API4.0.06.0.1
Quarkus3.28.43.36.1
Groovy5.0.45.0.5
AssertJ3.27.63.27.7
Maven Dependency Plugin2.83.11.0
bpm-monitorlatest

Resolved CVE Vulnerabilities

High
CVECVSSComponentDescriptionFixed In
CVE-2026-29145Apache Tomcat 10.1.50–10.1.52“Improper input validation (incomplete fix for CVE-2025-66614).” Fixed in Tomcat 10.1.53.1.2.18-ee
Medium
CVECVSSComponentDescriptionFixed In
CVE-2026-22740spring-webflux ≤7.0.6“Denial of service via orphaned multipart temporary files when client disconnects.” Fixed in Spring Framework 7.0.7.1.2.18-ee
CVE-2026-22741spring-webmvc / spring-webflux ≤7.0.6“Static resource cache poisoning via specially crafted requests.” Fixed in Spring Framework 7.0.7.1.2.18-ee
CVE-2026-22745spring-webmvc ≤7.0.6“Denial of service in static resource resolution on Windows paths.” Fixed in Spring Framework 7.0.7.1.2.18-ee
CVE-2026-227375.9spring-webmvc / spring-webflux ≤7.0.5“Path traversal / information disclosure via script view templates (JRuby/Jython).” Fixed in Spring Framework 7.0.6.1.2.18-ee
CVE-2026-22735spring-webmvc / spring-webflux ≤7.0.5“Server-Sent Event stream corruption.” Fixed in Spring Framework 7.0.6.1.2.18-ee
CVE-2026-29129Apache Tomcat“Open redirect via crafted URL when LoadBalancerDrainingValve is active.” Fixed in Tomcat 10.1.55.1.2.18-ee
CVE-2026-24734Apache Tomcat Native“OCSP response not fully verified; certificate revocation bypass.”1.2.18-ee
CVE-2026-24733Apache Tomcat ≤10.1.49“HTTP/0.9 GET request bypasses HEAD-only security constraints.” Fixed in Tomcat 10.1.50.since 1.2.16-ee

Bug Fixes

  • Fixed Jython BOM dependency configuration.
  • Resolved integration test failures in the CI matrix (PostgreSQL, cross-database, WildFly + webapps).

Build Configuration

  • Removed legacy Tomcat 9 and WildFly 26 from the build matrix. The shaded JUEL dependency was replaced with the standard distribution.

1.2.17-ee

Release date: 03.06.2026

Highlights

  • Java version and dependency refresh
  • Critical Jython deserialization vulnerability fixed (CVE-2016-4000)

Technical Updates

Resolved CVE Vulnerabilities

Critical
CVECVSSComponentDescriptionFixed In
CVE-2016-40009.8org.python:jython ≤2.7.0“Unsafe deserialization of untrusted data enabling arbitrary code execution (since Jython 2.7.0).” This vulnerability is exploitable if process definitions use Jython scripts. Fixed by upgrading Jython.1.2.17-ee

1.2.16-ee

Release date: 02.06.2026

Highlights

  • Business Events with transactional outbox — guaranteed at-least-once delivery to downstream systems
  • Configurable OAuth2 endpoints and custom webapp context path support
  • Script Guard NIO enforcement narrowed to file and network APIs only

New Features

Business Events with Transactional Outbox

A native business event system with a transactional outbox pattern. Process-level events (process instance lifecycle, task lifecycle, job execution) are captured inside the engine transaction and written to a dedicated outbox table. A relay component reads from the outbox and delivers events to configured downstream systems (Kafka, HTTP webhooks, etc.), guaranteeing at-least-once delivery without coupling downstream systems to the engine transaction.

A BusinessEventPublisher SPI allows custom event routing and transformation. Database schema upgrade scripts for all supported databases are included.

Configurable OAuth2 Endpoints

OAuth2 configuration is now fully externalised. Authorization, token, and userinfo endpoints are configurable via Spring Boot properties. The engine also respects a configurable webapp context path for correct OAuth2 redirect handling.

Spring Security Integration

Configuration Changes

New properties for Business Events and OAuth2:

# Business Events
eximeebpms.bpm.business-events.enabled=true

# OAuth2 endpoints
eximeebpms.bpm.security.oauth2.authorization-endpoint=https://auth.example.com/oauth2/authorize
eximeebpms.bpm.security.oauth2.token-endpoint=https://auth.example.com/oauth2/token
eximeebpms.bpm.security.oauth2.userinfo-endpoint=https://auth.example.com/oauth2/userinfo

# Webapp context path
eximeebpms.bpm.webapp.path=/bpm

User Experience Improvements

Script Guard — Reduced False Positives

The NIO blocking enforcement in Script Guard was narrowed to file and network APIs only. Pure computation (sorting, string manipulation) is no longer subject to blocking checks, reducing false positives and improving performance of compliant scripts.

Script Guard
Securing Custom Code

Technical Updates

Dependency Updates

DependencyPreviousUpdated
Gson2.8.92.14.0
Jackson2.15.22.21.3
Mockito5.10.05.23.0

Resolved CVE Vulnerabilities

Medium
CVECVSSComponentDescriptionFixed In
CVE-2023-351164.7com.fasterxml.jackson.core:jackson-databind ≤2.15.2“Cyclic dependency chain causes denial of service on crafted input. (Disputed by Jackson maintainers as not externally exploitable — included for completeness.)” Fixed in jackson-databind 2.16.0.1.2.16-ee

1.2.15-ee

Release date: 22.05.2026

Release-pipeline bookkeeping only. No functional or security changes.


1.2.14-ee

Release date: 22.05.2026

Release-pipeline bookkeeping only. No functional or security changes.


1.2.13-ee

Release date: 21.05.2026

Highlights

  • Script Guard — enforce which scripts are allowed to execute in the engine
  • Groovy upgraded from 4.x to 5.x

New Features

Script Guard

A framework for controlling which scripts are permitted to execute in the process engine, enforced at two levels:

  • BPMN parse time — script content is validated when a process definition is deployed; definitions containing disallowed scripts are rejected before they can run.
  • Runtime — scripts are validated immediately before execution; violations abort execution with a ScriptEvaluationException.

A built-in NIO blocking policy prevents scripts from performing blocking file system and network calls on the engine thread pool. Policies can be composed freely:

configuration.setScriptSecurityPolicy(new CompositeScriptSecurityPolicy(
    new NioBlockingPolicy(),
    new AllowlistScriptPolicy(allowedScriptIds)
));

Script Guard
Securing Custom Code
Scripting

Technical Updates

Dependency Updates

DependencyPreviousUpdated
Groovy4.0.225.0.4

Bug Fixes

  • Fixed Sonar build configuration causing analysis failures on CI.

Infrastructure Releases: 1.2.1-ep – 1.2.12-ee

Releases 1.2.1-ep through 1.2.12-ee established the Enterprise Edition release pipeline.

VersionDateSummary
1.2.1-ep08.05.2026First EE release — includes CE 1.3.0 features (multithreaded External Task Client, UUID v7, task query OR fix) and initial CI/CD pipeline
1.2.2-ep11.05.2026Release action configuration; snapshot release pipeline fix
1.2.3-ee11.05.2026Nexus TLS certificate for snapshot builds; distribution management release repository
1.2.4-ee12.05.2026Version release preparation
1.2.5-ee12.05.2026Release workflow fix
1.2.6-ee12.05.2026Release workflow fix
1.2.7-ee12.05.2026Release workflow fix
1.2.8-ee12.05.2026Update Sonar host URL to current internal instance
1.2.9-ee13.05.2026Release workflow fixes
1.2.10-ee13.05.2026Exclude duplicated sources from release artifact
1.2.11-ee13.05.2026Exclude duplicated sources from release artifact
1.2.12-ee13.05.2026Workflow simplification; disable snapshot deploys

On this page