OXID eShop 7.4.1

Release date: May 27, 2026

The patch release OXID eShop 7.4.1 improves the stability, security, and compatibility of existing projects: Composer 2.9 compatibility, security improvements for media uploads, and bug fixes and additions in the Content & Media Bundle.

For a short and more technical overview of the changes, see the Release Notes.

Composer 2.9 Compatibility

Composer 2.9 introduces an automatic security audit and aborts the installation if packages with known security issues are present. With the OXID eShop 7.4.0 Compilation, this could cause the installation to fail with the default settings of Composer 2.9.

In Compilation 7.4.1, the affected packages have been updated so that the installation works smoothly with the default settings of Composer 2.9. OXID eShop 7.4.1 can be installed both with Composer CLI 2.8 and Composer CLI 2.9.

Content & Media Bundle

Media Library (v4.2.0)

The Media Library now checks uploaded files for content, MIME type, and file name and rejects files that could pose a security risk — for example, manipulated SVG files or file names pointing to directories outside the Media Library. Common attack vectors via manipulated uploads can be blocked this way without any code adjustments.

WYSIWYG Editor (v6.0.3)

The WYSIWYG Editor has been stabilized: toolbar interaction, saving content containing emojis, and integration with the shop theme work reliably again. In detail, the following issues were fixed:

  • Summernote toolbar dropdowns did not open due to a Bootstrap 5 event-delegation conflict.

  • Content was lost when emojis were used in text widgets (#0007619).

  • Incorrect Bootstrap style imports that affected shop styles have been corrected.

Visual CMS (v9.2.1, Professional and Enterprise Edition only)

Content teams get extended options for time-based visibility control of widgets; at the same time, several editing and migration issues were fixed.

New in Visual CMS:

  • Nested activity groups with AND/OR logic enable complex time-based visibility rules for widgets.

  • Exclusion periods for activity periods allow widgets to be hidden during specific intervals within an active period.

In addition, several issues were fixed:

  • Widget properties of column widgets were not displayed when another widget and the column widget were opened for editing simultaneously.

  • The ddoevisualcms:migrate:veparse-to-vetree command now activates the “widget mode” flag for converted “veparse” content.

  • Content was lost when emojis were used in text widgets (#0007619).

  • Media URLs in text widgets are now migrated by the ddoevisualcms:migrate:urls-to-ids command.

  • Date pickers now respect the shop’s configured date format setting.

  • The carousel widget now retains images and links after re-opening the edit dialog.

Impact on existing projects

  • Update recommendation: The patch release is compatible with OXID eShop 7.4.0 and can be installed without functional changes to the shop.

  • Composer version: With 7.4.1, installations work both with Composer CLI 2.8 and 2.9 without special configuration.

  • PHP version: No change — the PHP versions supported for 7.4.0 remain valid.

  • Content & Media Bundle 9: Brought up to the latest patch versions (Media Library 4.2.0, WYSIWYG 6.0.3, Visual CMS 9.2.1). Existing content and configurations remain compatible.

  • Security improvements: Included automatically with the update, no additional configuration step required.

Update

For more information about updating from OXID eShop 7.4.0 to 7.4.1, see the Release Notes.