Please rate how useful you found this document:
Release Date: April 28th, 2026
This document contains release notes for ProcessMaker 3.9.5. Release Notes are cumulative, and document bug fixes associated with this release unless otherwise noted. A list of older ProcessMaker Release Notes is included at the end of this document.
Bug Fixes
ProcessMaker 3.9.5 includes the following bug fixes:
- Removed the TinyMCE BBCode plugin to fully eliminate any remaining code associated with CVE-2012-4230, further reducing the attack surface even though the plugin was not used in practice.
- Applied additional hardening for CVE-2020-12648 to strengthen how pasted HTML is handled in TinyMCE and reduce the risk of malicious content injection.
-
Reviewed Ext JS
evalusage against reported CVEs (CVE-2023-37280, CVE-2019-12457, CVE-2018-8046, CVE-2007-6758) and added mitigations where applicable to ensure no known exposure remains from these findings. -
Refactored remaining
eval()usage to minimize dynamic code execution and improve overall security and maintainability.
Previous Release Notes
Refer to the previous Release Notes from ProcessMaker versions 3.2 through 3.9.4:
- 3.9.4
- 3.9.3
- 3.9.2
- 3.9.1
- 3.9.0
- 3.8.3
- 3.8.2
- 3.8.1
- 3.8.0
- 3.7.7
- 3.7.6
- 3.7.5
- 3.7.4
- 3.7.3
- 3.7.2
- 3.7.1
- 3.7.0
- 3.6.5
- 3.6.4
- 3.6.3
- 3.6.2
- 3.6.1
- 3.6.0
- 3.5.11
- 3.5.10
- 3.5.9
- 3.5.8
- 3.5.7
- 3.5.6
- 3.5.5
- 3.5.4
- 3.5.3
- 3.5.2
- 3.5.1
- 3.5.0
- 3.4.11
- 3.4.10
- 3.4.9
- 3.4.8
- 3.4.7
- 3.4.6
- 3.4.5
- 3.4.4
- 3.4.3
- 3.4.2
- 3.4.0
- 3.3.17
- 3.3.16
- 3.3.15
- 3.3.14
- 3.3.13
- 3.3.12
- 3.3.11
- 3.3.10
- 3.3.9
- 3.3.8
- 3.3.7
- 3.3.6
- 3.3.5
- 3.3.4
- 3.3.3
- 3.3.2
- 3.3.1
- 3.3.0
- 3.2.4
- 3.2.3
- 3.2.2
- 3.2.1
- 3.2
