7x Releases Exponential 6.0.13
7x is very excited to announce the release of Exponential 6.0.13 to users worldwide. Try our improved version containing Enhanced PHP 8.5+ Software Support!
7x urges you to run Exponential on a secure release of PHP like 8.5 but our software supports both PHP 8.1 through 8.5 so there is no reason not to upgrade to a more stable and secure eZ Publish 6.0.13.
Review the improvements that have been made to eZ Publish after the release of eZ Publish 6.0 and 6.0.13 in the GitHub repository changelog.
Release date: 2026.04.20
Key Highlights of Exponential Version 6.0.13 (Stable):
Updated: Updated package repository README.md (Improvements)
Updated the core kernel to better support specific feature use with newer versions of php 8.4+/8.5+
What's Changed / What's New (Since Exponential 6.0.12)
The main themes of this release are Security Hardening, PHP 8 Compatibility Fixes,
SQLite3 Driver Improvements, New Template String Operators, and an upgraded
PHPUnit v13 Test Suite.
Security Fixes (Critical — PR #60: security-hardening-exp-6013)
• SEC [SEC-01..06]: Fix SQL injection and OS shell injection — 4 files patched,
6 attack surfaces closed. Parameterised queries and shell-argument escaping applied
to previously vulnerable call sites.
• FIX [UND-01..03, LOG-01..02, NUL-01..13, PRG-01]: Null/undefined guards and
logic corrections — 12 files hardened against undefined-variable and
null-dereference conditions that could lead to information disclosure or
logic-bypass under PHP 8.
• PHP84 [PHP-01..03, NUL-04..05]: PHP 8.4 deprecation fixes + order null guards
— 2 files updated to resolve deprecation warnings introduced in PHP 8.4.
• FIX [IMP-01..02, SET-01..06, KNT-01..12]: SOAP stubs, setup wizard guards,
kernel/content null safety — 20 files updated; covers SOAP response stubs,
setup-wizard input validation, and kernel/content-object null-safety checks.
Session / PHP 8 Compatibility
• fix(ezsession): PHP 8 compat — read() now returns '' (empty string) instead
of false; gc() correctly uses time() + gcStartTime for session lifetime
calculation. Eliminates type-error fatals on PHP 8.
• fix(ezsession): PHP 8 — guard $GLOBALS['eZCurrentAccess'] before access —
prevents undefined-index warnings / fatals when the global is not yet initialised
during early-bootstrap session handling.
SQLite3 Driver Improvements
• SQLite3: register eZSQLite3DB autoload + support absolute DB path — The
SQLite3 database driver now registers its autoload entry correctly and accepts an
absolute filesystem path for the database file, enabling use outside the default
var/ tree.
• fix(sqlite3): use recursive mkdir when creating SQLite3 DB directory —
Prevents a fatal error when intermediate directories do not exist on first-run
installations.
New Template Operators (Feature)
• Added: rstring, ristring, and many other PHP string operators as template
operators — A broad set of PHP string-manipulation functions (rstring,
ristring, str_pad, wordwrap, chunk_split, str_word_count,
number_format, sprintf wrappers, and more) are now available directly inside
Exponential templates. Feature Addition.
PHPUnit / Test Suite Upgrades (PR #61: upgrade-phpunit-tests-to-phpunit10)
• TEST [PHPUnit-10, SEC-01..06]: Add PHPUnit 10 test infrastructure and security
hardening suite — 6 new test files covering the SEC-01..06 attack surfaces
closed in this release.
• Updated: Upgraded PHPUnit test suite support to v13 — phpunit.xml and
test bootstrap updated for PHPUnit 13 compatibility.
• Updated: Version bump for PHPUnit to avoid composer security advisory —
Resolves a composer installation warning/block caused by a published security
advisory against the previously pinned PHPUnit version.
Documentation
• DOC [SEC-01..06, NUL-01..14, PHP-01..03, UND-01..03, LOG-01..02, SET-01..06,
KNT-01..12, IMP-01..02, PRG-01]: Add security hardening reference —
hardening.md (1,176 lines) documents every patch reference code, the
vulnerability class, affected file(s), and the fix applied.
• DOC: Add PHPUnit 3.7→10 migration guide — doc/phpunitv10.md added as a
developer reference for upgrading legacy test suites.
• DOC: Document PHP version compatibility — Explicit statement that the 6.0.13
patch set does not raise the minimum PHP version requirement.
• Updated: README — Distribution count updated, Exponential Platform / Nexus
version details added, issue tracker links revised, Telegram community link fixed.
Infrastructure / Project
• chore: add GitHub Sponsors funding metadata — .github/FUNDING.yml added to
enable sponsorship via GitHub Sponsors.
• Updated: .htaccess_root rebranding — Comments inside the example root
.htaccess configuration file updated to reflect current Exponential branding.
• Updated: Patched a fatal flaw in the client calling API for curl requests —
Curl client wrapper corrected; tested as working. Bugfix.
Notable Changes (Since eZ Publish 5)
Refer to prior release notes for the full historical feature list.
Key milestones still included in this build:
• Security: 6 SQL-injection / OS-shell-injection attack surfaces closed (this release)
• PHP 8.4 / 8.5 support (ongoing since 6.0.8)
• SQLite3 database driver (new this release)
• PHPUnit 13 test suite (new this release)
• REST API v2 (CRUD) support (since 6.0.9)
• PostgreSQL 17 setup-wizard support (since 6.0.10)
• Admin3 responsive admin design
• Multi-site INI override and cache-handling improvements (since 6.0.12)
• has_role / has_policy template & PHP operators (since 6.0.12)
Contributors
Try our new Headless CMS Featuring REST API Support (for v2 write crud) features!
To learn more about Exponential From 7x and to download the latest version. Visit: https://exponential.earth
7x is now offering turn key Exponential CMS Website Hosting at https://lnkd.in/gvPkYU8T
Read the Share announcement. You can download the release from GitHub or Composer! Then start a conversation about your own experience on our share forums thread about the release. For those who don’t know about eZ Publish yet read up on our favorite free software (GPL) content management system Exponential.
