CoreSpatial 2026-Q1 Release Announcement

March 31, 2026 CoreSpatial, Product Announcements

NGS is pleased to announce the 2026.1 release of CoreSpatial Server, Map Manager and Portal

The highlight of this release is our CoreSpatial Portal release based on MapStore2 v2025.02.02. This is a large rollup that advances through multiple upstream MapStore2 releases. See full details below.

We also look forward to continued development in the following areas:

  • Bulk tile collection projects via Map Manager UI
  • Expanded image handling capabilities in Map Manager – georectification of commercial drone imagery using JPEG EXIF
  • Desktop GIS integration via QGIS

CoreSpatial Server and Basemaps Release Notes

2026.1.7 (03/31/2026)

  • Update GeoServer to 2.28.3
  • Update PostgreSQL JDBC jar to 42.7.10
  • Update C3P0 Connection Pooling lib 0.12.0
  • Improve SBOM/CVE diff automation (new scripts, live image scans, and previous-release SBOM comparisons)

2026.1.6 (03/03/2026)

  • Patch five High/Medium CVEs in bundled JARs
  • Add support for multiple SBOM formats: SPDX, CycloneDX, and Syft

2026.1.5 (01/21/2026)

  • Patch vulnerabilities discovered in UBI 9 base image

2026.1.4 (01/30/2026)

  • Patch vulnerabilities discovered in UBI 9 base image

2026.1.3 (01/26/2026)

  • Patch vulnerabilities discovered in UBI 9 base image

2026.1.2 (01/21/2026)

  • Patch gnupg2 High severity vulnerability affecting the Docker container base image

2026.1.1 (01/14/2026)

  • Patch libpng to remediate High severity vulnerability affecting the Docker container base image

CoreSpatial Map Manager Release Notes

2026.1.9 (03/30/2026)

  • Refresh runtime container packages in the final Docker image to clear fixed vulnerabilities in the release container

2026.1.8 (03/25/2026)

  • Bump Spring Boot to 3.5.12 to remediate JAR vulnerabilities affecting Tomcat and Spring Web MVC
  • Update PostgreSQL JDBC to 42.7.10, Logback to 1.5.32, commons-io to 2.18.0, commons-lang3 to 3.19.0, and commons-compress to 1.27.1
  • Separate WMS Scraper into its own versioned release flow

2026.1.7 (03/06/2026)

  • Bump Jackson to 2.18.6 to remediate a JAR vulnerability

2026.1.6 (03/03/2026)

  • This release was cut to patch vulnerabilities discovered in the base container image

2026.1.5 (02/02/2026)

  • Bump react-router and react-router-dom to 6.30.3 and @remix-run/router to 1.23.2
  • Bump lodash to 4.17.23

2026.1.4 (01/30/2026)

  • Remove Python from the runtime image so it remains build-time only for GDAL
  • Pin Logback to 1.5.25 for vulnerability remediation
  • Set Flyway baselineVersion to 0 in application and test configuration

2026.1.3 (01/26/2026)

  • This release was cut to patch vulnerabilities discovered in the base container image

2026.1.2 (01/21/2026)

  • Patch gnupg2 and jaraco-context High severity vulnerabilities affecting the Docker container base image

2026.1.1 (01/14/2026)

  • Patch libpng to remediate High severity vulnerability affecting the Docker container base image

CoreSpatial Portal Release Notes

2026.1.1 (3/30/2026)

This release is a large rollup that advances the MapStore2 submodule through multiple upstream releases. The full details of upstream changes can be found in the MapStore2 release notes on GitHub:

New Features & Enhancements

  • Cesium Ion World Terrain — Added Cesium Ion World Terrain support for 3D map view; reads ionAccessToken and terrainProvider from localConfig.json with graceful fallback to default ellipsoid when no token is configured
  • Manager Page Plugins — Fixed blank manager page by adding UserManager, GroupManager, TagsManager, IPManager, and Footer plugins to the manager configuration; added missing translation keys throughout

Bug Fixes

  • Fixed duplicate file upload attempt that could trigger two concurrent upload requests
  • Fixed OSM background layer CORS errors by using explicit HTTPS tile URLs in base configuration

Security & Infrastructure

  • Switch to Iron Bank ubi9 base image for the container
  • Bump Tomcat to 9.0.108 (from 9.0.90) in RPM and container builds, addressing multiple CVEs across the 9.0.x series
  • Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0
  • Bump org.apache.cxf:cxf-core from 3.5.10 to 3.5.11
  • Multi-format SBOM generation (syft-json, cyclonedx-json, spdx-json, table) now included with all releases
  • CVE diff reporting added to release pipeline for tracking vulnerability changes between releases

Database Migrations

  • Migration 005 — Adds gs_ip_range and gs_security_ip_range tables required by GeoStore 2.4.0 for IP-based access control. Deployments upgrading from older GeoStore versions will have schema validation errors fixed by this migration.

Testing

  • Added Playwright end-to-end regression test suite

Tags:

Related posts