Hi all, A quick recap of what the OFBiz community got done in May 2026.
24.09.06 <https://www.google.com/url?q=https://lists.apache.org/thread/vsnvbbbfbdlj1vgp9kz7s7yxqmn9ngpm&source=gmail&ust=1781607323083000&sa=E> is out and a batch of 17+ CVEs is patched—please upgrade. 118 issues touched · 27 opened · 80 resolved · 1 release · 17+ CVEs Shipped - 24.09.06 released (May 19), carrying a coordinated 17+ CVE disclosure (SSTI→RCE, JWT forgery, path traversal, SSRF). Treat as an upgrade-now item. - OFBIZ-13407 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13407&source=gmail&ust=1781607323083000&sa=E> — patched several Apache Tomcat CVEs via dependency update. - OFBIZ-9205 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-9205&source=gmail&ust=1781607323083000&sa=E> — fixed a long-standing accounting bug where cancelling a taxed order created wrong OrderAdjustments (lands in 24.09.07). - OFBIZ-13425 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13425&source=gmail&ust=1781607323083000&sa=E> — PO shipments are now correctly marked received when receipts contain rejected units (24.09.07). - OFBIZ-13412 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13412&source=gmail&ust=1781607323083000&sa=E> — added H2 database support to trunk, replacing retired Derby. - OFBIZ-13138 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13138&source=gmail&ust=1781607323083000&sa=E> — JUnit 5 unit testing enabled framework-wide (4.13.x → 6.1.x migration <https://www.google.com/url?q=https://lists.apache.org/thread/ssh1m7s3qyn3126qm0q7d7n6shrvmcw2&source=gmail&ust=1781607323083000&sa=E> ). - OFBIZ-13426 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13426&source=gmail&ust=1781607323083000&sa=E> — dedicated SECURITY_PWD_UPDATE permission for cross-user password resets. In progress - OFBIZ-13262 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13262&source=gmail&ust=1781607323083000&sa=E> — inventory reservation flow for manufacturing work orders; first changes in trunk, feature still being built out. - Headless plugins — Headless Commerce plugin <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13410&source=gmail&ust=1781607323083000&sa=E> plus a headless, API-first manufacturing proposal. - OFBIZ-13398 <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13398&source=gmail&ust=1781607323083000&sa=E> — PWA Picking Application as a new plugin (PR + demo posted <https://youtu.be/9ByUvnGx5ws>). - Framework decoupling — removing application dependencies from framework code <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13418&source=gmail&ust=1781607323083000&sa=E>; sub-tasks for UserLogin.userFullName <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13392&source=gmail&ust=1781607323083000&sa=E> and EntityPermissionChecker <https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13393&source=gmail&ust=1781607323083000&sa=E> are already done. - Proposals on the dev list — move the REST-API plugin into the framework; backport Tomcat 10 / Jakarta to release24.09. Also worth knowing - Apache Derby retired — H2 is the path forward (see OFBIZ-13412 above). - Business Advisory Committee — proposal to add a business-side governance body as OFBiz expands into enterprise automation. Thanks to everyone who pitched in: Jacopo Cappellato (release manager), Mridul Pathak, Ashish Vijaywargiya, Deepak Dixit, Anil K Patel, Jacques Le Roux, Divesh Dutta, Arun Patidar, and many more. Best, Aditi Patel HotWax Commerce [email protected]
