Release v4.1.9

• Upgrade Undertow from 2.3.24.Final to 2.4.1.Final to fix DoS via multipart/form-data parsing on HTTP GET requests (CVE-2026-3260). Since Undertow 2.4.0 the servlet and websocket modules were extracted to io.undertow.ee (UNDERTOW-2646); we now use io.undertow.ee:undertow-servlet:1.0.0.Final and io.undertow.ee:undertow-websockets:1.0.0.Final for Jakarta EE 10 compatibility (Spring Framework 6.2).
• Upgrade Spring Framework from 6.2.17 to 6.2.18 to fix DoS via static resource resolution on Windows (CVE-2026-22745)
• Update spring ai to 1.0.7 for CVE-2026-41712

Release v4.1.8

• Fix for loading custom SearchParameter -Exception during startup (#520) when matchbox.validation.save-statistics is enabled
• Update frontend dependencies
• Update org.hl7.fhir.core to 6.9.8

Release v4.1.7

• Force opennlp-tools >= 2.5.9 to fix CVE-2026-40682, CVE-2026-42027, CVE-2026-42440 (transitive via langchain4j)
• Fix Trivy Docker image scan failing due to rekor.sigstore.dev timeout: replace TRIVY_OFFLINE_SCAN with TRIVY_SBOM_SOURCES='' to skip SBOM attestation lookups
• Pin babel/plugin-transform-modules-systemjs >= 7.29.4 to fix CVE-2026-44728 (arbitrary code generation via malicious input)
• Pin fast-uri >= 3.1.1 to fix CVE-2026-6321 (path traversal via percent-encoded dot segments)

Release v4.1.6

• Re-add support for the JRE 17 in matchbox-engine (#510)
• Add validation statistics feature (#462)
• Upgrade Spring Boot from 3.5.12 to 3.5.14 to fix predictable temp directory vulnerability (CVE-2026-40973)
• Upgrade Thymeleaf from 3.1.4.RELEASE to 3.1.5.RELEASE to fix improper recognition of unauthorized syntax patterns (CVE-2026-40478)
• Upgrade PostgreSQL JDBC driver from 42.7.10 to 42.7.11 to fix SCRAM-SHA-256 authentication DoS vulnerability (CVE-2026-42198)

Release v4.1.5

• updated security fix

Release v4.1.3

• Upgrade thymeleaf from 3.1.2.RELEASE to 3.1.4.RELEASE to fix CVE-2026-40478
• Upgrade Angular to 21.2.9, Angular Material/CDK to 21.2.7, angular-eslint to 21.3.1 (fixes vite 7.3.1 vulnerability via transitive update to vite 7.3.2)
• Upgrade lodash and lodash-es to 4.18.x via npm override (fixes CVE-2026-4800 and Dependabot alerts, transitive via karma and mermaid)
• Add FHIRPath test for data-absent-reason with hasValue() checks
• the suppressed warnings and errors are now stored in a Set instead of a List to prevent duplication (#482)

Release v4.1.1

• update org.hl7.fhir.core 6.9.4

Release v4.1.0

• fix ClassCastException in $validate-code when expanding inline ValueSet on R4/R4B servers (#497)
• Upgrade HAPI FHIR from 8.0.0 to 8.8.0, Spring Boot from 3.3.13 to 3.5.12
• Upgrade jackson-core to 2.21.2 to fix async parser DoS vulnerability (GHSA-72hv-8253-57qq)
• Upgrade Angular from 21.1.3 to 21.2.5 to fix XSS vulnerability in i18n attribute bindings (CVE-2026-32635)
• Upgrade Tomcat from 10.1.48 to 10.1.52 to fix input validation vulnerability (CVE-2025-31651)
• Upgrade Spring Boot from 3.5.9 to 3.5.12 to fix actuator authentication bypass (CVE-2025-49470, CVE-2025-49471)
• Fix prototype pollution in flatted (GHSA-v5vr-gp4q-wv4p)
• Fix undici WebSocket parser crash (GHSA-7r4h-r29g-6p4p)
• Add Docker HEALTHCHECK instruction (DS-0026), configurable via HEALTHCHECK_URL env variable
• Bundle next link returns HAPI-0287 error (#489)

Note: if you have a db you need to update it from 8.0.0 to 8.8.0

Release 4.0.20

• FHIRPath Slicing cannot be evaluated (#487) temporary workaround
• fix FML NPE with translate(), cc(), and c() when assigning to polymorphic elements like value[x] or location[x] (#480)
• load internal dependencies (ig-internal-dependency extension) from ImplementationGuide resources (#481)
• update org.hl7.fhir.core 6.9.1

Release v4.0.18

What's Changed

• fix forwarding of anyExtensionsAllowed/extensionDomains in the validator (#464)
• update dependencies

Full Changelog: v4.0.17...v4.0.18