Skip to content

P6core 6.10.20

Release date: Tuesday, April 07, 2026

Documentation can be found here.

TL;DR

This release is heavily focused on security hardening: ten vulnerabilities — including three critical-severity CVEs — have been patched by upgrading core dependencies such as Jersey, Apache MINA, Xalan, XStream, Jetty, and Jackson. On the functional side, the p6.pdf.compress() DSL method has been completely rewritten in pure Java and now achieves 90%+ compression on text-heavy PDFs, down from near-zero in the previous implementation. Two production-level data-display bugs are also addressed: buyer names containing an ampersand no longer render as & in transaction views, and CSV table exports no longer corrupt data with double-escaped quotes. Finally, the application list page loads significantly faster thanks to a backend optimisation that filters out unnecessary payload data before sending it to the client.

Performance

  • Faster application list loading — The application list was previously fetching the full content of every application from the database, including service items not needed by the UI. Only the required fields are now returned, reducing payload size and improving page load times noticeably on instances with many applications. (STN-26166)

PDF Processing

  • Redesigned PDF compressionp6.pdf.compress() has been fully rewritten as a pure-Java pipeline (no Ghostscript dependency). The previous implementation achieved near-zero compression on PDFs produced by p6.pdf.merge() and rendered text as blurry images. The new pipeline performs font substitution (replacing embedded TrueType subsets with standard PDF fonts), deduplication of shared Form XObjects, image recompression with configurable quality and DPI, and garbage collection of orphaned objects — achieving 90%+ size reduction (e.g. 3.2 MB → 201 KB on a 58-page document) while keeping text fully readable as vectors. (STN-26467)

Integration DSL

  • Fixed HTTP DSL form element — When sending HTTP requests with a form body element, the payload was being assembled by string concatenation instead of proper multipart encoding. This caused the form data to arrive malformed at the target server. It now uses the correct multipart format. (STN-25691)

Transaction Display

  • Ampersand in buyer names shown correctly — Buyer names containing & were being displayed as & in transaction views after the XML content was parsed for display. The underlying data was stored correctly; only the rendering was affected. This is now fixed. (STN-25885)

  • Fixed double-escaping in CSV table exports — When exporting table data to CSV, fields containing quotes or commas were being escaped twice — once by the initial formatting step and again by the CSV serialiser. This resulted in garbage data (e.g. """a """" b""") on export and data corruption on reimport. The escaping logic has been corrected. (STN-26080)

Security — Critical Vulnerabilities

  • Upgraded Jersey to 2.46 (CVE-2025-12383) — A race condition in Jersey’s HttpUrlConnector during SSL socket initialisation could allow concurrent HTTPS requests to bypass custom SSL settings, including mutual authentication and custom trust stores. Jersey has been upgraded from 2.36 to 2.46, which remains on the javax.* namespace and is fully compatible with the current Jetty and Swagger versions. (STN-25700)

  • Upgraded Apache MINA to 2.0.27 (CVE-2024-52046) — A critical deserialization vulnerability in Apache MINA’s ObjectSerializationDecoder allowed arbitrary code execution via specially crafted serialized data sent over the network. MINA has been upgraded to 2.0.27+. The SFTP server component used by the platform is not directly affected, but the dependency has been hardened. (STN-25699)

  • Upgraded Xalan to 2.7.3 (CVE-2022-34169) — An integer truncation flaw in the Xalan XSLT processor allowed attackers to corrupt generated Java bytecode and execute arbitrary code via malicious XSLT stylesheets. Xalan has been upgraded from 2.6.0 to 2.7.3+. (STN-25702)

Security — High Vulnerabilities

  • Upgraded XStream to 1.4.18+ (CVE-2021-39144) — A remote code execution vulnerability in XStream allowed attackers with sufficient access to execute OS commands by manipulating the XML input stream. XStream has been upgraded from 1.4.7 to 1.4.18 or higher. (STN-25742)

  • Upgraded Jetty to address DoS (CVE-2024-8184) — A vulnerability in Jetty’s ThreadLimitHandler allowed attackers to exhaust server memory by sending repeated crafted requests, triggering OutOfMemoryError. Jetty has been upgraded to a patched version. (STN-25730)

  • Upgraded Jackson to 2.18.6 — Jackson has been updated to 2.18.6 to address high-severity security findings reported by Snyk. (STN-26105)

  • Upgraded Apache Commons dependencies — Apache Commons libraries have been updated to their latest versions to address known vulnerabilities. (STN-25955)

  • Upgraded Quartz scheduler library — The Quartz job scheduling library has been updated to remediate a high-severity vulnerability that could be exploited via crafted cron triggers. (STN-26068)

  • Upgraded dnsjava to 3.6.0+ (CVE-2024-25638) — A vulnerability in dnsjava allowed an attacker to inject or alter DNS records from different zones, potentially redirecting network traffic. dnsjava has been upgraded to 3.6.0 or higher. (STN-25768)

  • Upgraded Apache SSHD to 2.12.0+ (CVE-2024-41909) — A Terrapin attack vulnerability in Apache SSHD allowed a man-in-the-middle attacker to downgrade SSH security features by intercepting and dropping specific handshake packets. Apache SSHD has been upgraded to 2.12.0+. (STN-25735)

  • OkHttp certificate validation (CVE-2021-0341) — This vulnerability in OkHttp’s hostname verification is introduced transitively via the web3j dependency. It has been assessed and will be resolved as part of the planned removal of the web3j library from the platform. (STN-25734)

Documentation

  • Corrected DSL reference documentation — Various inaccuracies in the core Groovy DSL documentation have been fixed. (STN-26199)

  • Removed p6cmd verify from documentation — The p6cmd verify command has been removed from the public documentation, as it is an internal tool not intended for use by Professional Services or Integration Engineers. (STN-26125)