Please be aware that there is newer version of documentation available for Webswing. Documentation 26.1
Release Notes
The Webswing version 25.2 comes with Oracle Forms support, audio/video streaming, JMeter plugin and other enhancements and bug fixes.
25.2.7
Release date: April 2nd 2026
- #1283: Support for adding escape focus traversal keys when accessibility is off
- #1288: Fixed issues with complex glyph rendering when DirectDraw enabled
- #1278: Replace deprecated javascript unload event
Fixed 3rd party vulnerabilities
- SAML2: Stream reset CVE-2025-8671
25.2.6
Release date: March 6th 2026
- #1265 Upgrading Tyrus for latest Tomcat compatibility
- #1273 Information disclosure - Server header removed
- #1270 Expose setCharacterEncoding in servlet request wrappers
- #1230 WebRobotPeer screen capture fix for undocked window and hidpi offscreen windows
- #1198 Fixed DD rendering error when canvas has 0 size
- #1198 Fixed PNG error when creating 0 size BufferedImage of decoration
- #1275 Fixed unreliable logout redirect if multiple tabs trigger logout at same time with user variable
- #1276 Prevent memory buildup from paintImmediately during disconnects
- #1277 Fixed memoryUsed percentage calculation; added stats properties
Fixed 3rd party vulnerabilities
- Tomcat: Improper Certificate Validation - High Severity CVE-2025-66614
- Tomcat: Incorrect Authorization - High Severity CVE-2026-24734
- Jetty: Improper Input Validation - Low Severity CVE-2025-11143
- Jetty: Uncontrolled Resource Consumption - High Severity CVE-2026-1605
25.2.5
Release date: January 30th 2026
- #1253 OIDC session monitor with OIDC session refresh
- #1264 Don't send fonts defined in fontConfig when directdraw=false
- #1250 Fixed long waiting period during server websocket hang
- #1263 DD cache capacity overflow with small number of constants
- #1249 Better handling of lost websocket connections
- #1143 Support for Oracle Forms 11
- #1262 Simulate real keyboard events instead of TransferHandler actions for clipboard events
- #1260 Modal overlay not removed after modal dialog closed
- #1261 Improved multiscreen positioning and permissions
- #1242 Fixed Admin Console cluster health warnings
- #1180 SAML2 configurable response binding
- #1203 Replaced WEBP encoder library
- #1254 Allow transparent file chooser UI when isolated FS is off
- #1236 Process streams redirection on start up of resilient instance - make sure session folder exists
- #1257 Improved expiration of unused refresh token cookies
Fixed 3rd party vulnerabilities
- React-router: Cross-site Scripting - High Severity CVE-2026-22029
25.2.4
Release date: January 9th 2026
- #1255 Do not call touchSession during login process
- #1180 Upgrade SAML2 security module to use latest pac4j lib + other improvements
- #1234 Fixed LZ4 lib vulnerability CVE-2025-12183
- #1250 Browser to detect inactive websocket connection on server shutdown
- #1248 Clear introspector cache in MetadataGenerator
- #1236 Process streams redirection on start up of resilient instance
- #1245 Warning concerning RAM usage has wrong point of reference
- #1235 Optional cookie name prefix
- #1238 Fixed touchpad scrolling resolution
- #1196 Fixed reconnect of CONTINUE_FOR_TAB after browser network fails
Fixed 3rd party vulnerabilities
- Command Injection - High Severity CVE-2025-64756
- SAML2: Allocation of Resources Without Limits or Throttling - Medium Severity CVE-2025-8916
- Log4j: Improper Validation of Certificate with Host Mismatch - Medium Severity CVE-2025-68161
25.2.3
Release date: December 5th 2025
- #1202 DirectDraw glyph rendering fixed
- #798 API for MacOS input map override
- #1215 Cannot paste or scan into focused input after tap outside
- #1230 Fixed Robot screenshot capture with PNG rendering and HiDPI
- #1216 Fixed initialization of undocked windows in MacOS in fullscreen
- #1226 Fixed serialization and content type of manifest.json
- #1231 Do not auto-undock hidden window
Fixed 3rd party vulnerabilities
- Race Condition - Critical Severity CVE-2025-12383
25.2.2
Release date: November 15th 2025
- #1143 Oracle Forms improvements
- #1214 Config option to bypass EDT unresponsivness in paint process
Fixed 3rd party vulnerabilities
- Relative Path Traversal (Tomcat) - High Severity CVE-2025-55752
- Improper Resource Shutdown or Release (Tomcat) - Medium Severity CVE-2025-61795
25.2.1
Release date: November 9th 2025
- #1210 LDAP authentication issue
- #1202 Fixed DirectDraw glyph rendering performance
- #1214 Config option to bypass EDT unresponsivness in paint process
- #798 Fixed mapping of MacOS Meta (cmd) key
- #1219 Race condition when repainting window decoration
- #1213 Remove files downloaded with direct transfer from transfer folder
- #1188 Added French translation
- #1221 Internal Server Error not redirected to custom 500 error page
- #1205 When websocketUrlLoader.script fails active connections are dropped
- #1198 Removed bufferedIO Log4j optimization from webswing.log and webswing-session-pool.log causing logs not being flushed to file before reaching 16384 buffer size
- #1143 Oracle Forms improvements
- #1206 REST API - getSessions filter by username
- #1207 JavaFX DirectDraw issue with subimage
- #1204 JavaFX app does not repaint after page refresh in DD
- #1201 Memory leak for [Process exit status timer]
- #1199 Stealing disconnected session after logout not working
25.2
Release date: October 10th 2025
- Oracle Forms support
- Stream audio and video with Webswing API
- JMeter plugin
- Directories upload/download
- Variable Substitutor - validator
- New LINK_VIEW_FOR_BROWSER session mode
- JVM shared with multiple users in a single browser
Other enhancements:
- Lock/unlock listener in Webswing API
- Redirect session logs directly to Log4j
- Add library to boot class path using advanced settings
- Improve Log4j performance