NEW critical security update: Vanilla 2.6.3
All installations must be upgraded to Vanilla 2.6.3 immediately. Please follow the upgrade instructions in the README. (Version 2.6.2 was defective and has been replaced.)
This release contains multiple critical security patches. There are no new features or backwards-incompatible changes.
A security update to the 2.5 branch of Vanilla is also now available as 2.5.6. If you are able to run PHP 7.0+ we strong recommend you do so immediately and upgrade to 2.6.3 (above).
All of the issues patched in these releases were brought to our attention responsibly via our HackerOne campaign, which you can view and participate in by visiting https://hackerone.com/vanilla. We're not aware of any of the issues being exploited in the wild or being otherwise publicized at this time. That said, you should upgrade immediately because it's often easy to infer previous vulnerabilities from the patched code.