diff --git a/README.md b/README.md
index 8856c029d..0c31f1de1 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend
org.owasp.esapi
esapi
- 2.6.2.0
+ 2.7.0.0
jakarta
```
@@ -105,7 +105,7 @@ link to the specific release notes.
the ESAPI GitHub Discussion https://github.com/ESAPI/esapi-java-legacy/discussions/841.
# Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.6.2.0.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.7.0.0.
All the *regular* ESAPI jars, with the exception of the ESAPI configuration
jar (i.e., esapi-2.#.#.#-configuration.jar) and its associated detached
GPG signature, are available from Maven Central. The ESAPI configuration
diff --git a/SECURITY.md b/SECURITY.md
index 083874215..c551662fc 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,8 +12,8 @@ but if it is anything but trivial, we would charge a TBD consulting fee.
| Version | Supported |
| ------- | ------------------ |
-| 2.6.2.0 (latest) | :white_check_mark: |
-| 2.1.0.1-2.6.1.0 | :x:, upgrade to latest release |
+| 2.7.0.0 (latest) | :white_check_mark: |
+| 2.1.0.1-2.6.2.0 | :x:, upgrade to latest release |
| <= 1.4.x | :x:, no longer supported AT ALL |
## Reporting a Vulnerability
diff --git a/Vulnerability-Summary.md b/Vulnerability-Summary.md
index 7c6f3b0c9..e7eacb6d0 100644
--- a/Vulnerability-Summary.md
+++ b/Vulnerability-Summary.md
@@ -26,6 +26,5 @@ was provided in the description of the CVE.
|[10](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin10.pdf)|There is an RCE flaw caused by an insecure deserialization vulnerability in Apache Chainsaw, a Java-based GUI log viewer. CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw 2.x prior to 2.1.0. However, prior to Chainsaw V2.0, Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists and remains unfixed.|[CWE-502](https://cwe.mitre.org/data/definitions/502.html)|[CVE-2022-23307](https://nvd.nist.gov/vuln/detail/CVE-2022-23307)|Remote Code Execution is possible if you are running Apache Chainsaw 1.x from the Apache Log4J 1.2.x jar.|None. ESAPI uses ConsoleAppender as the default appender even if ESAPI logging is configured to use Log4J 1.|
|[GHSA-8m5h-hrqm-pxm2](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2)|The default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.|[CWE-22](https://cwe.mitre.org/data/definitions/22.html)|[CVE-2022-23457](https://nvd.nist.gov/vuln/detail/CVE-2022-23457)|Control-flow bypass may be possible.|ESAPI 2.x, prior to the ESAPI 2.3.0.0 release. Version 2.3.0.0 and later are patched.|
|[11](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin11.pdf)|There is a DoS vulerablity in the FileUploadBase class of Apache Commons FileUpload for releases prior to 1.5. That DoS vulnerability is caused by not limiting the number of files that could be uploaded per single request.|[CWE-770](https://cwe.mitre.org/data/definitions/770.html)|[CVE-2023-24998](https://nvd.nist.gov/vuln/detail/CVE-2023-24998)|None. ESAPI uses a subclass of the affected FileUpladBase abstract class from Apache Commons FileUpload to which a new setFileCountMax() method was added.|Addressed in ESAPI 2.5.2.0 and later.|
-|[GHSA-r68h-jhhj-9jvm](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm)|Decribes why ESAPI's Validator.isValidSafeHTML is being deprecated and will be removed one year after the ESAPI 2.5.3.0 release date.|[CWE-80](https://cwe.mitre.org/data/definitions/80.html)|N/A (no CVE)|XSS may be possible depending on how the method is used.|All ESAPI versions (all 1.x and 2.x versions). No patch is available until the methods are deleted one year after the ESAPI 2.5.3.0 release date.|
-
-
+|[12](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin12.pdf)
[GHSA-r68h-jhhj-9jvm](https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm)|Decribes why ESAPI's Validator.isValidSafeHTML is being deprecated and will be removed one year after the ESAPI 2.5.3.0 release date.|[CWE-80](https://cwe.mitre.org/data/definitions/80.html)|N/A (no CVE)|XSS may be possible depending on how the method is used.|All ESAPI versions (all 1.x and 2.x versions). No patch is available until the methods are deleted one year after the ESAPI 2.5.3.0 release date.|
+|[13](https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin13.pdf)|There is a bypass around ESAPI's Encoder.encodeForSQL interface (a method that always carried a strong warning) that be result in SQL injection vulnerabilities in code that use it.|[CWE-138](https://cwe.mitre.org/data/definitions/138.html)|[CVE-2025-5878](https://www.cve.org/CVERecord?id=CVE-2025-5878)|May leave applications that use Encoder.encodeForSQL vulnerable to SQL injection.|ESAPI 2.x versions before 2.7.0|
diff --git a/configuration/esapi/ESAPI.properties b/configuration/esapi/ESAPI.properties
index 2b24814d9..2df6e7804 100644
--- a/configuration/esapi/ESAPI.properties
+++ b/configuration/esapi/ESAPI.properties
@@ -582,4 +582,4 @@ ESAPI.dangerouslyAllowUnsafeMethods.methodNames=
# justification as to why you have enabled these functions. This can be
# anythuing such as a Jira or ServiceNow ticket number, a security exception
# reference, etc. If it is left empty, it will just like "Justification: none".`
-ESAPI.enableLegCannonModeAndGetMyAssFired.justification=
+ESAPI.dangerouslyAllowUnsafeMethods.justification=
diff --git a/documentation/ESAPI-release-steps.odt b/documentation/ESAPI-release-steps.odt
index 22fbd8f23..455863aba 100644
Binary files a/documentation/ESAPI-release-steps.odt and b/documentation/ESAPI-release-steps.odt differ
diff --git a/documentation/ESAPI-release-steps.pdf b/documentation/ESAPI-release-steps.pdf
index db43ee14f..96db0481d 100644
Binary files a/documentation/ESAPI-release-steps.pdf and b/documentation/ESAPI-release-steps.pdf differ
diff --git a/documentation/ESAPI-security-bulletin13.odt b/documentation/ESAPI-security-bulletin13.odt
index 8c26809d2..ee9cb8ef8 100644
Binary files a/documentation/ESAPI-security-bulletin13.odt and b/documentation/ESAPI-security-bulletin13.odt differ
diff --git a/documentation/ESAPI-security-bulletin13.pdf b/documentation/ESAPI-security-bulletin13.pdf
index 18a55f076..8d272b042 100644
Binary files a/documentation/ESAPI-security-bulletin13.pdf and b/documentation/ESAPI-security-bulletin13.pdf differ
diff --git a/pom.xml b/pom.xml
index d60992543..6797acc2a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,18 +3,16 @@
4.0.0
org.owasp.esapi
esapi
- 2.7.0.0
+ 2.7.1.0-SNAPSHOT
jar
-
- sonatype-nexus-snapshots
- https://oss.sonatype.org/content/repositories/snapshots
-
-
- sonatype-nexus-staging
- https://oss.sonatype.org/service/local/staging/deploy/maven2
+
+ central
+ https://central.sonatype.org/publish/publish-portal-maven/
+
+ https://github.com/ESAPI/esapi-java-legacy/releases
@@ -427,6 +425,16 @@
+
+ org.sonatype.central
+ central-publishing-maven-plugin
+ 0.9.0
+ true
+
+ ${project.name}-${project.version}
+ central
+
+
org.cyclonedx
@@ -515,12 +523,6 @@
-
- org.apache.maven.plugins
- maven-deploy-plugin
- 3.1.4
-
-
org.apache.maven.plugins
maven-eclipse-plugin
diff --git a/src/test/resources/esapi/new-props.properties b/src/test/resources/esapi/new-props.properties
deleted file mode 100644
index 5dc3ab1c2..000000000
--- a/src/test/resources/esapi/new-props.properties
+++ /dev/null
@@ -1,58 +0,0 @@
-# For testing new properties part of PR# 886. Hoping these are the only
-# properties that will be needed. TBD.
-
-
-ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
-
-ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
-#===========================================================================
-# ESAPI Logging
-# Set the application name if these logs are combined with other applications
-Logger.ApplicationName=ExampleApplication
-# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
-Logger.LogEncodingRequired=false
-# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments.
-Logger.LogApplicationName=true
-# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments.
-Logger.LogServerIP=true
-# Determines whether ESAPI should log the user info.
-Logger.UserInfo=true
-# Determines whether ESAPI should log the session id and client IP.
-Logger.ClientInfo=true
-
-# Determines whether ESAPI should log the prefix of [EVENT_TYPE - APPLICATION NAME].
-# If all above Logger entries are set to false, as well as LogPrefix, then the output would be the same as if no ESAPI was used
-Logger.LogPrefix=true
-
-################## NEW PROPERTIES ###################
-#
-# NOTE: I still like the property name
-# ESAPI.enableLegCannonModeAndGetMyAssFired.methodNames"
-# and
-# ESAPI.enableLegCannonModeAndGetMyAssFired.methodNames"
-# better. Betcha those would be set a lot less often than this "more
-# professional" names will be.
-#
-########################################################################################
-# The following methods are now disabled in the default configuration and must
-# be explicity enabled. If you try to invoke a method disabled by default, ESAPI
-# will thrown a NotConfiguredByDefaultException.
-#
-# The reason for this varies, but ranges from they are not really suitable for
-# enterprise scale to that are only marginally tested (if at all) versus the are
-# unsafe for general use, although them may be fine when combined with other
-# security-in-depth techiques.
-#
-# The disabled-by-default methods are:
-# org.owasp.esapi.reference.DefaultEncoder.encodeForSQL
-# org.owasp.esapi.ESAPI.accessController [FUTURE; will correspond to deprecation notice]
-#
-# The format is a comma-separated list of fully.Qualified.ClassName.methodName;
-# all class names must begin with "org.owasp.esapi.".
-ESAPI.dangerouslyAllowUnsafeMethods.methodNames=
-
-# Normally you would put some text here (that will be logged) that provides some
-# justification as to why you have enabled these functions. This can be
-# anythuing such as a Jira or ServiceNow ticket number, a security exception
-# reference, etc. If it is left empty, it will just like "Justification: none".`
-ESAPI.enableLegCannonModeAndGetMyAssFired.justification=