CakePHP 3.10.4 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 3.10.4. This is a maintenance and security release for the 3.10 branch that fixes a community reported issue, and patches a security vulnerability.

Security Fixes

The 3.10.4 release fixes an encoding issue with the verified tokens feature of CsrfProtectionMiddleware released in 3.10.3. In 3.10.3 verfied tokens were generated using random bytes and would often fail to match as the bytes would be incorrectly encoded when rendered in HTML.


You can expect the following changes in 3.10.4. See the changelog for every commit.

  • Fixed incorrectly encoded CSRF tokens when using the verifyTokenSource option.

Contributors to 3.10.4

Thank you to all the contributors that helped make this release happen:

  • Marc W├╝rth
  • Mark Story

As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

Download a packaged release on github.