DXP Releases for 2026

Dependencies have been upgraded to address security issues, ensuring a safer and more reliable system.

Headers disallowing caching had already been set when a query string parameter was present in the URL.

When the Redirect URLs with Trailing Slash system configuration was activated, if a query string were present in the URL, the redirect would be served with headers instructing upstream caches not to cache the result. This header instruction resulted in requests being unnecessarily forwarded to the CMS.

The cacheability headers were unset and explicitly reset to appropriate values by the CMS when performing the redirect from URLs containing a trailing slash.

CMS now sends appropriate cachability headers when redirecting from a trailing slash, and a query string is present

The wrong asset was being matched for an event that retrieved keywords.

This mismatch prevented keywords from displaying on the Format Bodycopy contents screen under a Custom Form.

The event listening logic now directly checks for this scenario and delegates correctly.

Keywords on the content screen now list correctly for Format Bodycopy assets under Custom Forms.

The PHP end() function returned false if run on an empty array.

When no results were present, search pages with custom grouping could produce a fatal TypeError on some platform versions.

The code path for custom grouping was updated to avoid calling end() when there were no results.

All platform versions will now correctly show the no results page when custom grouping is enabled.

When the option to use UUIDs instead of asset IDs for linking to assets directly was introduced, the image preview code was not changed.

If the URLs containing ?a= will return a 404 system setting was enabled, then the preview for an image on the details screen showed a broken image due to a 404 Not Found error.

The preview URL for images was updated to use the external-uuid link.

Image previews now appear normally, regardless of whether the URLs containing ?a= will return a 404 system setting is active.

To ensure compatibility with platform versions, the ^increment and ^decrement keyword modifiers no longer have any effect on strings that are not entirely numeric.

For example, a value of "mach 1" would previously have been modified by ^increment to output "mach 2". And a value of "aa" would have become "ab".

These types of transformations no longer occur, and they will be output unchanged as "mach 1" or "aa".

Wholely numeric values, such as "5432" or "-26", will still be incremented or decremented normally by the keyword modifiers.

Thesaurus filters on Asset Listing Pages treat all related links to thesaurus terms as filter weights, and newer platform versions change the behaviour of arithmetic operations on non-numeric strings to be fatal.

Thesaurus filters on Asset Listing Pages would often cause a fatal error on newer platform versions.

The fix implemented ignores non-numeric strings when performing arithmetic operations for Thesaurus filters.

Thesaurus filters on Asset Listing Pages now work correctly regardless of the link values in the system.

Changes to allow Matrix to use the fastest database in the backend exposed an issue where transactions were being started on the read-only database. A warning was added to help identify any cases that were missing from the test suite.

A small number of these human-readable diagnostic warnings were subsequently shown to users.

The incorrect transactions have been removed, and the warnings will stop showing to users. Squiz Content Management can reliably use a faster DB in the backend.

Squiz Content Management was unable to cache asset URLs within DejaVu, so whenever URLs were used, a Database lookup was required, even if the asset was already cached in DejaVu.

To attempt to fix this problem, Squiz Content Management was updated to cache asset URL information within DejaVu alongside the rest of the asset details.

However, this change to the product resulted in an unplanned regression and had to be removed in this hotfix version.

Provide layout ID and display layout and component information more consistently.

Layout ID available from the information form, and improved consistency between page builder and Squiz DXP layout/component information.

Clearing block validation warnings, missing checks for locked layout zones, or containing locked layout zones.

Incorrect block validation warnings are displayed when saving a template.

Updated clear validation warning logic to evaluate whether a zone is a locked layout or contains one.

Unlocking top-level zones and locked layouts results in the correct clearing of block validation warnings.

When a Content Template is imported with the XML tool, it does not sync correctly with the template service.

There is a visible error in the import HIPO job, and then an error when visiting the content screen of any Content templates after import.

Template name sync no longer occurs on import, and a template record is created for the newly imported Content Template asset.

No errors are displayed in the import HIPO job, and the newly imported Content Template can be edited from an empty state.

When a layout zone was set as a primary zone on a templated page, it wasn’t getting reset when that layout was deleted from the page.

Template service validation failed if a user tried to save the page.

The fix clears the primary zone to null if a layout primary zone was deleted.

The page now saves when a layout that had a zone set as primary no longer exists on the page.

When a templated Content Page had a template applied, resulting in unused content, continuously swapping back and forth between the original and new template corrupted the state of the content page. Content page editing is unusable until the page is reloaded.

Better data conversions were implemented to handle continuous transformations.

Content page editing remains usable after switching between two templates in a single session.

A link to Squiz DXP logs was available for Content Page assets, but was missing for Content Template assets.

With this minor improvement, users can now navigate from Content Template asset logs to DXP logs and view logged events for that asset.

Previously, when the chatbot provided a generic fallback response (for example, "I’m sorry, I couldn’t find an answer"), this interaction was successfully shown to the user in the chat window but was not saved to the permanent history log.

The system now correctly records all response types, ensuring your conversation history accurately reflects the full dialogue.

Previously, the X-Forwarded-For edit plugin did not have a dedicated mode to isolate only the final IP address in a forwarded chain. This made it difficult to handle specific network configurations where the last hop was the required identifier.

The plugin now includes a KeepLast configuration mode. When enabled, the plugin strips all other IP addresses from the X-Forwarded-For header, retaining only the last one.

This update ensures more accurate IP detection for search usage analytics, Curator, and IP-based access restrictions in complex proxy environments.

Archive extraction with data sets large enough to split over multiple unzip processes could trigger duplicate folder creation if files in those folders were split over multiple unzip processes.

As a result, duplicate folders could appear in the frontend DXP Console File Store browser causing visual confusion. While File Store still unzipped the archives correctly, the duplicate folders could cause visual confusion for users.

The fix adds additional checks to ensure duplicate folders are not created under these conditions.

The course material has been updated to support the current layout development capabilities, which include the switch to the manifest.json configuration file format.

This information brings this part of the course up to current configuration recommendations.

Enroll now through Squiz Academy.

The generic messages shown to users when uploading schema changes are now replaced with more helpful messaging.

This minor improvement to error message communication may help users identify and fix issues with their schemas more readily.

Read Schema upload errors in the Single Customer View section of the Customer Data Platform docs.

If the binoculars needed to switch trees to find an asset, because it is not found underneath the current one’s restricted root node, the current selection was then cleared on the original (and thus incorrect) asset tree.

Multiple assets could end up selected, on the newly shown asset tree, when using the binoculars.

The asset selection clearing was made consistent with other selection clearing code.

Only the asset located by the binoculars will be selected.

Duplicate form submissions could occur if the same POST request were made multiple times and other protections did not prevent it.

With the Form submission token validation feature flag enabled, a Form Submission Token Validation to Prevent Duplicate Submissions setting becomes available on the Content screen of Custom Forms assets. When this option is enabled, a token is added to the custom form and tracked on the server to ensure that a submission is processed only once.

An issue is known where file attachments may still be processed in duplicate submissions, even though an error apperas for the attachment. This known issue will be fixed before the full release of the feature and removal of the feature flag.

Certain platform upgrades could cause breaks in how htmlspecialchars and htmlentities work, potentially breaking the encoding of special characters and entities.

The fix adds a feature flag that allows preserving the old behaviour. Upgrading systems in this way will no longer cause encoding to break.

Squiz Content Management has been unable to control cache times for __data, resulting in some files remaining in cache longer than necessary.

If the Serve __data from Matrix is enabled, Matrix will now directly serve file assets with __data URLs.

The administration interface references to virus scanning have been removed.

The way Squiz Content Management scanned files for potential malware did not scale up in the Squiz DXP environment. It also should not be possible to turn this feature on and off because the legacy virus scanning system was not implemented.

Squiz is reassessing how best to perform malware scanning of files in the Squiz DXP environment and which interface is required to support this function.

The zone ID was stored as a zone name for some unused content zones, including parent and missing block zones. In some unused content scenario conditions, the zone ID was displayed instead of the zone name.

The fix looks up the zone name, if available, instead of the zone ID for unused content zones. This change means that zone names take precedence over zone IDs in the Page Builder Layouts UI.

The message string "A layout update has removed this entire zone" now appears for page-managed content on a templated page. This message string replaces the longer string "A layout update has removed this entire zone. This content will continue to re-appear here until it is handled in the template."

Two strings could appear in unused content as a result of deploying a new version of the layout that had zones changed or removed. The wrong message was displaying incorrectly in page-managed content on a templated page, and this fix improves the messaging in this area of the UI.

An adjustment was made to layouts when content was moved to Unused content during a layout update. Any parent layouts that a layout is nested in will now appear as a structural placeholder in Unused Content, so the content editor knows where the layout came from.

When emptied, these parent layouts were not automatically removed, and there was no way to remove them other than clicking the checkbox to clear Unused Content entirely. Now, any partially affected layouts in Unused Content will disappear when emptied.

Unused content reasons due to layout zone changes now cascade to any nested layouts affected by them.

Before this improvement, if unused content appeared after deploying a different version of a layout, unused content reasons would appear on the top-level layout, but not on nested affected layouts.

Fixed missing mapper passthrough on retry from the previous step, improving retry reliability.

This ensures the message retry behavior includes mapper passthrough.

When a contract owner removes a user who was the only member of a developer team, ownership now automatically transfers to the first contract owner.

This fix prevents orphaned teams when the sole member is removed.

Initial component release.

Initial component release.

A new eLearning course for Site Builders is available that provides foundational learning to support customers who are using or want to use the recently released content templates feature.

Read the January 2026 new features to learn more.

A new learning plan for Site Builders brings together three learning materials on content template design fundamentals.

Read the January 2026 new features to learn more.

The ELV25-009, ELV25-010, ELV25-011, and ELV25-012 video eLearning courses are now available in Squiz Academy.

Read the January 2026 new features to learn more.

A Force XML plugin is available in Squiz Search to work around issues with non-conformant XML source files.

Read the January 2026 new features to learn more.

Zones in the page outline (and unused content) now appear in the order defined in manifest.json

Read the January 2026 new features to learn more.

A recent product improvement to the way manifest files in templates are structured using JSON is now reflected in the Component Service documentation.

Read the January 2026 new features to learn more.

Read the February 2026 new features to learn more.

For a tenant with custom roles enabled and a single Search instance when non-owners logged in non of there custom roles were being used.

When logging in a user the code changed there user record type and roles to only include the clients primary role. Consequence:

The code has been adjusted to ensure the user record is not changed when a user logs in.

The useer has the roles assigned to them to complete required Search tasks.

The segment sets feature allows administrators and site builders to scope Personalization segment sets based on their required availability across sites.

The documentation required to understand this feature was updated to reflect the support for segment sets in Squiz Content Management.

Read the Segment scoping documentation to learn more.

Added: Send event on non-push data source update stop. Changed: Send event after successful view swap for non-push data sources as a post swap step instead of during the index phase. Send event after successful commit for push data sources as a post commit step instead of during the index phase.

An incorrect name for the page parameter was used when creating page navigation links.

Page navigation links contained multiple incorrect parameters for page numbers, and the wrong page was loaded.

Page parameter name is fixed when generating URL links, so the parameter is properly cleared and set to the correct page number.

Page navigation links now only contain a single page parameter with the correct value.

preg_replace works with URLs that include query params. Some replacement patterns preserve query params in the output, then the code appends them again, causing duplicates.

Query parameters are duplicated in redirect URLs when remap rules have "Preserve query string in remaps" enabled. For example, /example?foo=bar redirects to /example2?foo=bar?foo=bar instead of /example2?foo=bar.

The fix extracts query params before regular expression replacement, strips them from the URL, then merges the query parameters back by using getRemapUrlWithQueryString(), which handles the existing ? correctly.

Query parameters are preserved exactly once in redirect URLs.

A value used in Workflows was not being correctly type-checked, which caused a PHP fatal error in certain circumstances.

The value causing the fatal error now has correct type checking in place.

The ability to preserve legacy handling of HTML entities and special character encodings was added in 6.80.0 as described in the January 2026 errata.

It was discovered that this feature change could not accept null values from other parts of the codebase. Fatal errors were generated (including visible errors on the frontend interface) when certain variables or keyword modifiers are used.

The fix combines Null values into an empty string before handling.

The original fatal errors no longer occur, and null values are treated as empty strings.

Squiz Content Management was unable to cache asset URLs in DejaVu, so whenever URLs were used, a Database lookup was required even if the asset was already cached in DejaVu.

Squiz Content Management will now cache asset URL information in DejaVu alongside the rest of the Asset details, reducing database queries and improving page render times for pages with many URL lookups.

Squiz Content Management was unable to cache asset permissions or major links (Type 1/2) within DejaVu, so any requests had to go to the database to fetch those details.

Squiz Content Management will now cache asset permissions & major links (Type 1/2) in DejaVu alongside the rest of the asset details, reducing database queries and improving page render times for pages with many URL lookups.

The "missing zone" reason is attributed to top-level zones changing from page-managed to locked.

An incorrect zone reason was displayed for template-locked top-level zones in unused content.

Detect when the page managed zone specifically changed to template-locked and assign the correct reason.

The correct locked zone reason appears when the page zone is changed to template-locked.

Unused content zones could sometimes appear in a random order and not align with the zone order in the template/page.

Zones in unused content appear in the order they are on the page/template, with any deleted zones appearing at the top.

Each code sample in the Data Services documentation now shows the configuration file it is associated with.

This additional prescriptiveness will help readers clearly identify which persistent file any given code sample is from.

Mentions of server components and server-based static file support documentation are now unavailable in the Component Service documentation.

Read the February 2026 enablement updates section to learn more.

A bug was discovered where the date filter plugin threw an error when the Facebook Data Source returned a page type other than POST or EVENT.

The plugin was updated to process page types other than POST or EVENT.

This plugin was changed to allow reading the last x-forwarded-for IP address from the access_restriction.prefer_x_forwarded_for parameter.

This change lets the plugin retain the last IP address if the option is set. This behavior is required by Content Management and Squiz Search to properly track the locations of users who request searches through Content Management.

Documentation required updates that reflected the behavior of search user accounts in Squiz DXP.

Added notes on search user account behavior when DXP users are turned off or re-enabled.

Read Squiz DXP Console Search Custom Roles documentation for more information.

The documentation lacked operational nuances and exhaustive technical restrictions relevant to custom roles in Squiz DXP.

Consolidated all technical guardrails, operational behaviors, and best practices into the public documentation.

Read Search Custom Roles documentation for more information.

The Datastore documentation feature page for JavaScript SDK did not contain links to the SDK.

Improved the aggregation feature page to clearly link to the JavaScript SDK usage page, which now contains links to the SDK itself.

Read Datastore Aggregation documentation for more information.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Read the February 2026 new features to learn more.

Validation rules for dropdown and list fields (Select, Option List, Checkbox List, and Checkbox table) were previously available regardless of whether the field allowed single or multiple selections. That lets users add rules that don’t apply (for example, "Selection Limit" on a single-select field), which could cause errors or confusing behaviour. This improvement restricts the rules offered and applied. Hence, they match the field type: single-select fields show rules that apply to a single value, and multi-select fields show rules that apply to multiple values.

When you add or edit validation rules on a Select, Option List, Checkbox List, or Checkbox Table form field, you will only see rules that are valid for that field. Single-select fields (for example, Select with "Multiple?" off, Option List) show rules such as Length, Email, and Text Contains. Multi-select fields (for example, Select with "Multiple?" on, Checkbox List, and Checkbox Table) show Selection Limit, Selection, and Text Contains.

If you change a Select field from single to multiple (or the reverse), rules that no longer apply are hidden until you switch back; they are not deleted.

Select fields allow select limit rules set to greater than 1 even when set to single select because single select fields require a selection (more than zero). While the server-side code has been updated to treat selection limits greater than 1 as if they were 1, the client-side code has not been updated to support this treatment.

If a single select field has a selection limit set greater than 1, it will never pass client-side validation.

To work around the issue, set the selection limit of single select fields to 1, or remove the rule and mark the field as required. Single select fields can then be filled out in a way that satisfies client-side validation rules.

A regex expecting a string could be passed an array value, which resulted in a fatal error in some cases.

The value is now checked and handled correctly before the regex check.

When merging multiple preference sets with common keys, the code did not preserve the keys that were not common to both preferences. This condition caused some user preferences to be lost during the merge process.

The fix preserves keys that are present in only one of the preference sets during merging. Now users will not lose their preferences, even when they have sets of preferences that share only some keys.

A fatal error (ArgumentCountError) occurred when trying to cascade metadata to assets that could not acquire the lock, causing the UI to stop responding with a loading spinner and returning a 500 error. Incorrect parenthesis placement in the translate() call caused sprintf() to receive the wrong number of arguments because the "metadata" argument was incorrectly placed in translate() instead of sprintf().

Several fixes were necessary to correct this behavior:

The HIPO job now shows a warning message instead of causing a fatal error, allowing users to continue using the page when metadata locks cannot be acquired.

The asset tree was filtering invalid links from the child link count against sq_ast on every load, even though the data was not used anywhere critical, and any corruption is repaired regularly in the DXP.

The data could only be displayed completely if %asset_num_kids% was used in Asset display name.

The asset tree no longer filters out invalid links on each request; instead, it relies on the link table having valid data. In extreme cases, displaying a child asset with ~700k direct children is expected to reduce the ~4.5s asset tree request to ~0.7s.

A content page can be included in a design’s nested content customization. When the "Cache Globally?" option is set, the HTML markup is cached across domains, which causes issues when the cached markup is resolved to page content across origins.

When the markup was cached on domain A, users on domain B who used that cached content would see a "message": "Router: Missing tenant config header" in place of the page content.

The fix changes the markup produced when rendering a content page to allow correct resolution across multiple origins. Users no longer see the missing tenant config header error for content pages in design customizations that are cached globally.

When the default block was hidden, the personalized block action menu in Page Builder displayed an unavailable 'Add Items' menu for active segments without variants.

The fix ensures the personalized block action menu only shows the Add text, Add component, and Add layout menu options when they are available to use.

The dxp_content_template_id attribute was intentionally not set during asset cloning. It was discovered that the template selector relied on this missing attribute to populate the available templates array. Without the attribute present, there was no relationship to the cloned template ID.

The fix to the content page cloning method now sets the dxp_content_template_id attribute to the original templateId. This change populates the available templates array and the template selector is correctly populated when a templated content page is cloned.

It was discovered that the missingBlock reason was incorrectly assigned in unused content for page blocks that were moved into template-locked page zones.

When the page zone changed to a template-locked zone, then the content was deleted, the template incorrectly showed the missingBlock reason rather than the lockedZone reason.

The fix now shows only the lockedZone reason for zones that change from page-locked to template-locked, and correctly tracks content moving between these zones.

Default values were set to NULL to prevent fall back to the default value if a user intentionally cleared the value.

In a template-locked zone, this behavior meant users could not save an empty "default but not required" value. For required fields on a templated page in unlocked zones, this behavior caused validation issues.

The fix ensures that empty default values are set to an empty string when validation can be skipped. For example, a required field in a template-unlocked zone.

When a user acquired locks, opened the Edit panel, then released the locks, the active block was not cleared from window.pbSelection. At the same time, the page was active and the edit panel was open. This problem caused the active block to persist in the edit panel at times.

The fix clears the window.pbSelection.activeBlock information when the page is active in setActiveBlock(), which allows the block to be correctly forgotten and the UI to show the correct state.

Security improvements address dependency vulnerabilities.

This plugin was changed to support prefix mode, so the plugin can facilitate search-based auto-completion when the partial query is sent without a trailing *.

When Prefix mode is enabled, wildcard characters in the query are ignored, and expansion is applied to the end of the entire query (e.g. abc def behaves as abc def*).

Unnecessary requests were initiated when trying to Edit and render the content screen.

The unnecessary requests have been removed, and acquiring locks on the content screen is now faster.

Squiz Content Management JavaScript code assumed that it was the only thing to set the window.opener DOM property.

When the admin interface was opened through a JavaScript link by using window.open(), without sending the noopener argument, some features did not work reliably.

The fix ensures that when the main admin interface code is set, window.opener is reset to null if it is set.

The admin interface now works the same regardless of how the property is called.

It was discovered that external-uuid query parameters were not processed correctly by the system in custom edit layouts.

Assets linked from the Content Management backend would not render correctly if they lacked a URL.

The system now checks for external-uuid query parameters in the backend, which makes the content of assets without URLs load correctly.

A rule to check total selections was not included when validating the Custom form option list field.

The lack of total selections validation caused the "Required entry" validation to allow form submissions when no option was selected from the options list.

The rule to check total selections was updated to include validating the Custom form option list field lists, preventing this condition from being ignored.

Component boolean properties with default values were incorrectly treated as empty strings or null values when set to false.

Pages and templates (with components in locked zones) could not be saved when component boolean properties with defaults were unchecked.

Component boolean properties with defaults are correctly treated as false if unchecked.

Pages and templates with components that have boolean properties with default values unchecked are now correctly treated as false and can be saved.

The course material has been updated to support the current layout development capabilities, which includes layout properties and helpers.

This information brings this part of the course up to current configuration recommendations. Enroll now by visiting Squiz Academy.

The course material has been updated to support the current layout features, which include layout properties.

Enroll now by visiting Squiz Academy.

The asset types allowed to be linked to content pages for modern asset management screens did not include the content page asset types. Content pages could not be selected as a parent location in the asset picker on the modern asset linking screen for another content page.

The content page was added to the list of asset types allowed to be linked to content pages. Other content pages can now be selected as parent locations for content pages from the linking screen.

A failed regular expression was not being checked or handled. In scenarios involving very large data sets, this could cause Server-side JavaScript (SSJS) to be treated as front-end JavaScript.

The regular expression result is now always checked and handled if it fails. SSJS will no longer be executed as frontend JS in this way.

Non-numeric values were being used in addition, which caused a fatal error and prevented the morphing of a select input into a checkbox list input (under a Custom Form).

The value is now checked for numeric validity before the addition attempt, with a sensible fallback option. The morphing of a select input into a checkbox list under a custom form now works as intended.

Logic that handles /data path redirects wasn’t checking for remaps, as well as missing logic to handle when the path is instead /data_direct. This logic error could cause redirections (setup in the Remap Manager) from the /__data path to fail with a 404.

Both /data & /data_direct are now checked during the redirection logic. Remaps from /__data paths setup in the Remap Manager will now work as intended.

If the applied template has been updated (for example, by adding or reordering content), these changes are automatically applied to the page the next time it is loaded in Page Builder. However, they need to be saved to take effect in the frontend.

Before this change, a content editor would need to make a separate manual change to the page content before the Save action is enabled, meaning they could not easily propagate these automatically applied template changes to the frontend.

If the applied template is updated, a content editor can now easily apply these changes to their page by loading it and clicking Save, without having to make any other edits.

In the template selector, a brief error was displayed, followed by a different error once the applied template finished loading.

For example, a templated page with a broken, purged template would display the purged message before the broken message.

A spinner appears in the template selector, and no template alert message is shown until the applied template finishes loading.

Adding a layout to a page was not detected as a change. Therefore, the template selector was not deactivate correctly.

You were able to add, remove, or change a template in this state, which would confuse when your newly added layout was lost.

Newly added layouts are now detected as a genuine page change. When newly added layouts are added to a page, a template cannot be added, changed, or removed until the page is saved.

Those implementing components want better traceability from an uploaded component version in the Squiz DXP Console back to the code that created it, including who created it and when.

When uploading a component version with the dxp-next command-line, developers can add the --version-tag option and specify a custom string to aid traceability back to the source of the change. This string can be any text, but a recommended use is a commit ID or a commit URL. The tag you specify is shown on the component page in the Squiz DXP Console.

The DXP CLI and Simulator defaulted to 0.0.0.0, which was incompatible with Windows environments and contradicts the official documentation. This resulted in "connection refused" errors for Windows users and general confusion regarding the correct URL to use for local development.

Users had to manually substitute 0.0.0.0 with localhost in their browser’s address bar to successfully access the Simulator and follow the tutorial steps.

The change from 0.0.0.0 to localhost ensures a seamless, cross-platform experience that aligns with public tutorials and technical documentation.

Security improvements address dependency vulnerabilities.

Read the March 2026 new features to learn more.

Read the March 2026 new features to learn more.