DSpace 8.4 is now available!

8 views
Skip to first unread message

DSpace Technical Support

unread,
Jun 1, 2026, 11:58:22 AM (2 days ago) Jun 1
to DSpace Technical Support

We are pleased to announce the release of DSpace 8.4!  This release provides security fixes, performance improvements, accessibility improvements and bug fixes to the 8.x platform. No new features are provided. As such, this release should be an easier upgrade for sites already running 8.x.


Download DSpace 8.4


Security Fixes

  • Fix for GHSA-9x82-rm84-c6x7 (high severity). Remote Code Execution (RCE) possible in Velocity templates used by LDN (Linked Data Notifications) when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned)

  • Fix for GHSA-9qm4-rh6w-pq5x (moderate severity). Path traversal vulnerability possible in LDN (Linked Data Notifications) message generation when COAR Notify is enabled. (NOTE: A CVE ID has been requested but not yet assigned)

  • Fix for GHSA-v66x-68f2-pxf5 (moderate severity). Path Traversal Vulnerability is possible in Curation Task Reporter output path. (NOTE: A CVE ID has been requested but not yet assigned)

  • Fix for GHSA-c827-pw3m-67w7 (moderate severity). ORE resource URI does not validate scheme for non-web resources when harvesting OAI content. (NOTE: A CVE ID has been requested but not yet assigned)

  • Patch for CVE-2026-27739 in Angular SSR (critical severity). All versions of Angular SSR (Server Side Rendering) contain a critical SSRF (Server-Side Request Forgery) vulnerability, which may be possible to exploit in DSpace sites that are not running DSpace behind a well-configured proxy (see mailing list announcement).  


Breaking Changes

We include a “Breaking Changes” section to the Release Notes to notify you of major changes which may impact your upgrade. Please visit the Release Notes for the full details.


A few key breaking changes to be aware of in DSpace 8.4:

  • Frontend's new "ui > baseUrl" setting helps to patch against the Angular SSR vulnerability CVE-2026-27739.

  • Replaced "webui.content_disposition_format" with "webui.content_disposition_inline" (in dspace.cfg). This improves security of unknown or custom formats by only displaying trusted formats inline.


Major Bug fixes / improvements include:

  • General user enhancements and fixes

    • Fixed bug on Browse by Issue Date where the date was treated as a filter rather than a start date for decades. #10055 (Donated by Atmire)

    • Fixed a bug where the IIIF viewer was not working due to a missing mime.types file. #11804 (Donated by 4Science)

    • Fixed a bug where authentication methods would not appear if page refreshed before authentication token expired. #4662 (Donated by Atmire)

    • Fixed a bug in hierarchical vocabulary browse where only the first 20 matches to a query were rendered. #4500 (Donated by Atmire)

    • Fixed an issue where deleted bitstreams returned HTTP 401 unauthorized instead of 404. #11629 (Donated by Jesiel Viana)

    • Fixed bug where LDAP authentication would fail with when a user's LDAP entry had no email field. #11292 (Donated by dataquest)

    • Fixed bug where metadata export was no longer respecting metadata.hide.* properties #11197 (Donated by Atmire)

    • Fixed bug with the "Show more" functionality of truncatable component for content containing HTML #4948 (Donated by 4Science)

    • Fixed an issue where memory errors would occur when downloading large bitstreams from an S3 remote. #12468 (Donated by 4Science)

    • Fixed bug where hierarchical & advanced search on community and collection pages redirected user to the global search route. #5210 (Donated by Atmire)

  • Submission / Workflow enhancements and fixes

    • Fixed an issue where loading many mapped collection forms via item-submission  could cause a Fetch error. #10750 (Donated by Paulo Graça)

    • Fixed bug where a Submitter could not deposit items via SWORD when the item had an embargo defined. #10404 (Donated by dataquest)

    • There is now a configurable limit on the number of items that can be added or edited in a single CSV metadata import. #9663 (Donated by Neki-IT)

    • Fixed an issue where controlled vocabulary lookup was not working for text with accented characters. #12097 (Donated by Istvan Vig)

  • Administrative enhancements and fixes

    • Fixed an issue where the curation task CreateMissingIdentifiers would not work for an item without a handle. #11676 (Donated by The Library Code)

    • Fixed bug where "cleanup" command-line script would fail if deleted bitstreams still had orphaned rows in bundle2bitstream. #11009 (Donated by Atmire and The Library Code)  

    • Fixed an issue where the checksum checker could fail to complete due to memory constraints in repositories with many bitstreams. #7322 (Donated by Miika Nurminen)

    • Fixed bug where creating an EPerson would fail for an email containing uppercase letters. #4338 (Donated by PCG Academia)

    • Fixed an issue where the menu reducer could throw an error when you tried to delete an already deleted menu section. #4539 (Donated by Atmire)

  • Integration fixes

    • Fixed bug occurring during OAI update process when batch size exceeded and items had metadata-level embargoes. #12112 (Donated by Toni Prieto)

    • Fixed several failures occurring with the OpenAIRE Search API. #11967 (Donated by dataquest)

    • OAI-PMH now serves pre-transformed HTML if the client sends an Accept header requesting text/HTML. #11648 (Donated by The Library Code)

    • ORCID iDs are now included in the metadata that gets sent to DataCite from DSpace. #9883 (Donated by Eike Löhden)

    • ORCID iD icons and links are now displayed according to ORCID's Display guidelines. #4656 (Donated by 4Science with additions by Nicholas Woodward)

    • Enabled sending a Client-Id header in requests to the ROR (Research Organization Registry) API.  #11653 (Donated by 4Science)

  • Performance improvements

    • Improved performance by optimizing the SQL query in the findByEPerson method. #11472 (Donated by Toni Prieto)

    • Improved performance on the signposting endpoint by adding a count query. #12305 (Donated by Tina Schönborn)

    • Improved loading times and cache behavior for the community list page. #9911 (Donated by 4Science)

  • Fixed a large number of other bugs. See Release Notes for details.



New and improved Language support

  • German (Deutsch) language updates donated by Sascha Szott (saschaszott)

  • Italian (Italiano) language updates donated by 4Science


A total of 51 individuals contributed to 8.4. For a full list of changes and contributors in 8.4, see our Release Notes.


Would you like to contribute to a future DSpace release? 


DSpace is built and supported by community volunteers. We have no centralized development team. Therefore, we welcome contributions from anyone! Contributions may take the form of:

  • Contributing money to our DSpace Development Fund - All funds go directly towards development in the next release(s), and you will be acknowledged on our DSpace Development Fund page.

  • Contributing code - As a volunteer developer you can determine which issue ticket you’d like to work on. Join our weekly developer meetings or get in touch with Tim Donohue if you have any questions.


If you’d like more information on ongoing development, please consider joining our weekly developer meetings, or follow along by reading the public notes of past meetings.


Reply all
Reply to author
Forward
0 new messages