The release notes provide information on the features and improvements in the specified version.
Improvements
The issues in release mentioned under the section improvements are considered as new functionality, user experience improvements and bug fixes.
Batch (csv) upload of evaluations fails - EV-343
When importing a slightly larger csv with evaluations using the CSV import an error was thrown. Digging in the logs the issue was found and was an easy fix. The timeout for the CSV upload was set at a too short time and has now been extended to also support import of larger files.
Adding a participant should not throw a server error - EV-342
Incidentally, adding an ad-hoc participant to an evaluation the applications showed a server error. This was caused in case an evaluation type was defined and the 'preferred email address recipient' has been left empty.
This has been fixed by:
- setting the default preferred email address recipient for all evaluation types on creation of a new type to Pubilc
- making the field preferred email address recipient a required field
- apply a script to check if there are types with no preferred email address recipient set, and set it to Public
Security
An integral part of our develop and build processes is automatic scanning for known security vulnerabilities. The vulnerabilities will be fixed based on their impact, which means that in some cases an immediate hot-fix will be applied, and in other cases the vulnerability will be fixed in the current or next Sprint (release). The security section provides an overview of the vulnerabilities mitigated.
This release mitigates the following vulnerabilities:
- CVE-2025-49146(8.8)
CVE-2025-22233(2.29)- CVE-2025-41232(9.3)
CVE-2025-41234(7.4)- CVE-2025-48988(7.5)
For more information on reported vulnerabilities, see the central database of vulnerabilities.
Audit security findings - EV-344
Based on a security audit and its findings on accessibility of the internal-only used API a number of fixes have been applied to further 'restrict access' and 'data visualisation' accessing the API anonymous:
- API service blocks: the blocks are used in the anonymous reports and are therefore open accessible. The anonymous result has been modified to only provide the exact required information for the reports and no other fields.
- API service participate/progress: this seemed to be excluded from the authorisation (even though it was set) and allowed retrieval of evaluation information. This was caused by the fact the service has a / in it. This has been changed to participate-progress to use the intended authentication requirement.
- API service answers: provided some meta-data, but should give an error when accessing anonymous. This has been fixed.
For more guidance on configuration and setup of Evaluation, use the relevant Evaluation manual.