Redmine 6.1.2, 6.0.9 and 5.1.12 released

2026-03-19  •  Tags: , , ,  •  ISHIHARA Yukiko

Ad: My Redmine Global Edition: A simple cloud-based Redmine service

On March 16, 2026 (Central European Time), Redmine 6.1.2, 6.0.9 and 5.1.12 were released. These releases are maintenance releases that include several security fixes and bug fixes.

What is Redmine:
Redmine is a versatile, open-source project management tool built on Ruby on Rails. It offers features like multi-project support, issue tracking, time tracking, and custom fields. Visit the official website at www.redmine.org to access a wealth of comprehensive information.

All versions, Redmine 6.1.2, 6.0.9 and 5.1.12, include several security fixes:

  • Defect #43661: Unsafe eval usage in AttachmentsHelper
  • Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
  • Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
  • Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
  • Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
  • Defect #43830: User who is allowed to view only their own time entries can retrieve other users' time entry details by directly specifying the TimeEntry ID via the REST API

These releases also include updates to the Nokogiri library to address security vulnerabilities (updated to 1.19.1 for 6.1.2/6.0.9, and 1.18.9 for 5.1.12).

In Redmine 6.1.2, in addition to security fixes, several bug fixes and improvements have been made, such as enhancements for RTL (Right-to-Left) language support and a fix for the issue where updated_on was updated even when no changes were made to the ticket during editing.

Changes

Common changes in 6.1.2, 6.0.9 and 5.1.12 (6 changes)

Security

  • Defect #43661: Unsafe eval usage in AttachmentsHelper
  • Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
  • Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
  • Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
  • Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
  • Defect #43830: User who is allowed to view only their own time entries can retrieve other users' time entry details by directly specifying the TimeEntry ID via the REST API

Common changes in 6.1.2 and 6.0.9 (10 changes)

Code cleanup/refactoring

  • Patch #43872: Update GitHub Actions workflow dependencies

Database

  • Patch #43668: Serialize address limit checks during email_addresses#create

Issues

  • Feature #43837: Add a hint to the issue relation add form that clarifies multiple comma-separated issue IDs are accepted

Issues filter

  • Patch #43736: author.group filter test fix

Issues list

  • Defect #31972: An empty group_count badge is displayed when grouped with created_on

Permission report

  • Feature #43659: Set minimum width for Permission column in permission report

Security

  • Defect #43840: Update Nokogiri to 1.19.1

Text Formatting

  • Defect #40918: Wiki "Edit this section" does not extract SeText headings correctly in CommonMark Markdown

UI

  • Defect #43804: Custom field preview does not work on bulk issue edit
  • Defect #43869: Default assignee selected by category is not shown in UI

Changes only in 6.1.2 (14 changes)

Calendar

  • Defect #43718: Issue beginning/ending arrows should be flipped in RTL calendars

Code cleanup/refactoring

  • Patch #43649: Remove MySQL 5.7-related comments from database.yml.example
  • Patch #43713: Add missing entries "apps" and "shield-check" to icon_source.yml

Issues

  • Defect #33610: Submitting the issue edit form without changes unexpectedly updates updated_on

Performance

  • Defect #43651: Searching issues with searchable custom fields causes a performance regression on MySQL

Text formatting

  • Defect #43662: Cursor may move to incorrect position when pasting inline images from clipboard

Themes

  • Feature #43087: Allow to change icons sprites from theme

UI

  • Defect #43664: Project menu tab left/right buttons are broken in RTL layout
  • Defect #43672: Indent icons for subtasks and subprojects in list tables are misplaced in RTL layout
  • Defect #43674: Unintended global `ol` styling in changeset CSS
  • Defect #43675: "Add filter" dropdown in query form appears on the wrong side in RTL layout
  • Defect #43714: Arrow buttons for Available/Selected columns are misleading in the issues query form on RTL layouts
  • Defect #43715: Project selector does not indent subprojects in RTL layout

Wiki

  • Feature #43631: Add "include_subprojects" parameter to recent_pages macro to include pages from subprojects

Changes only in 5.1.12 (1 change)

Library Update

  • Defect #43864: Update Nokogiri to 1.18.9

Related information

Ad: My Redmine Global Edition: Redmine Cloud Hosting 100 USD/month
Created: 2026-03-19  •  Tags: , , ,