Blog

MachForm v30 is now available for download via your Account Area. This release addresses a critical security vulnerability affecting all previous versions of MachForm. We strongly recommend updating your installation immediately.

Security Patches

• Authentication Bypass (Critical): We have resolved a critical vulnerability in the authentication logic that could allow an unauthenticated attacker to gain read-only access to the MachForm administrative interface under specific conditions. Write operations (such as modifying forms, deleting entries, or changing account settings) were not affected.
• Security Hardening: As part of addressing the above issue, we have also strengthened CSRF token validation across the application and audited the codebase for similar attack vectors. Several additional validation improvements were made as precautionary measures, even where no exploitable vulnerability was identified.

Who Is Affected

This vulnerability affects all MachForm Self-Hosted installations running versions prior to v30. Customers running older versions of MachForm should prioritize upgrading to v30 as soon as possible.

MachForm Cloud customers do not need to take any action. The fix has already been applied to our hosted infrastructure.

Technical Disclosure

We are initially publishing this advisory without full technical details to provide our Self-Hosted customers adequate time to upgrade. Full technical details will be published in the CVE database. We will update this post with the corresponding CVE ID(s) as they become available.

Acknowledgments

We appreciate the responsible disclosure and detailed technical analysis provided by Josh Cool. The report was thorough, precise, and handled with professionalism throughout our coordinated disclosure process.

PHP & MySQL Version Requirements

MachForm v30 requires the minimum version of PHP on your server to be at least PHP 8.1 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog

• Security: Resolved a critical authentication bypass vulnerability (credit to Josh Cool).
• Security: Strengthened CSRF token validation across administrative endpoints.
• Security: Resolved Cross-Site Scripting (XSS) on Users / Entries page and Grid widget (credit to The Chinese University of Hong Kong – ITSC)
• Security: Updated Axios library to use version 1.15.0
• Bugfix: Accessibility issue (missing label) with “Other” field on Checkboxes/Multiple Choice
• Bugfix: Display issue with rating field on mobile devices
• Bugfix: Fixed incorrect “required” validation when a matrix field is being duplicated
• Bugfix: Errors on Stripe payment page when being embedded across different domain
• Bugfix: Uploaded files can’t be accessed on incomplete entries section
• Bugfix: Success page doesn’t display correctly after PayPal payment completed
• Bugfix: File upload counter not being calculated correctly when validation errors occur

How to Update

This update is provided at no cost for users with an active support contract. You can download the package from the Account Area.

Please follow the official upgrade guide here: Upgrading MachForm Self-Hosted

We are thrilled to announce the immediate availability of MachForm v28!

We have focused our energy on completely overhauling one of the most critical parts of data collection: File Uploads.

We have rebuilt the file upload engine from the ground up using an all-new uploader with modernized UI and rock-solid performance to handle the unstable mobile networks and massive file sizes of the modern web.

Here is why you (and your users) are going to love it:

Modern Drag-and-Drop Interface

A sleek, modernized UI that looks great on desktops, tablets, and mobile devices.

Edit & Compress Images

The new file uploader comes with a built-in image editor.

Crop & Resize: Users can crop their images or resize them directly within the upload window before hitting submit.

Image Compression: We now support automatic image compression. This significantly reduces file sizes without sacrificing quality. Saving you storage space and speeding up upload times for your users.

Bulletproof Reliability

Connection drop? Wi-Fi hiccup? The new engine is smart. It detects network failures and retries automatically, ensuring you get the files you need without user frustration. You can even pause and resume the upload process!

Blazing Fast Concurrent Uploads

We have unlocked parallel processing. Instead of waiting for files to upload one by one, MachForm now uploads multiple files simultaneously.

• MachForm Self-Hosted: Enjoy 5x concurrent uploads instantly.
• MachForm Cloud: Powered by Transloadit processing grid, we push this to 20x concurrent uploads for massive throughput.

MachForm Cloud + Transloadit

For our MachForm Cloud users, we have integrated directly with Transloadit (the industry leader in file processing). This allows us to offload the heavy lifting from your forms, enabling massive 5GB file uploads and 20x concurrent processing without slowing down your form.

Our integration with Transloadit allows us to drastically increase the per-file upload size limits for MachForm Cloud:

• Personal Plan: Increased from 50MB to 1GB per file.
• Small Business Plan: Increased from 150MB to 2GB per file.
• Enterprise Plan: Now supports a massive 4GB per file.
• Enterprise Plus Plan: Now supports a massive 5GB per file.

Powerful Updates. Same Price. Best of all, these upgrades come at no additional cost. We have included the Transloadit integration and increased storage limits as part of your existing MachForm Cloud subscription.

Now Available for Download

The new version of MachForm is now available for download in the Account Area.

PHP & MySQL Version Requirements

MachForm v28 requires the minimum version of PHP on your server to be at least PHP 8.1 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog

• Feature: New File Upload field with built-in image editor and concurrent uploads.
• Feature: Added new CAPTCHA type: ALTCHA.
• Feature: Added {entry_data:except(…)} merge tag to exclude custom fields from {entry_data}
• Feature: Added option to restrict SSO Login by SAML attribute, for custom iDP
• Feature: Added option to change the default permission for new SSO users created from JIT provisioning
• Update: Fixed accessibility issue to conform with WCAG 2.2 AA point #4.1.3 Status Messages
• Update: Replaced PHPExcel library with PHPSpreadsheet and increased the minimum PHP requirements to PHP 8.1
• Bugfix: SSO doesn’t work for password-less authentication
• Bugfix: SSO doesn’t work if the website server behind a reverse proxy
• Bugfix: When “Max File Uploads Per IP Per Hour” is 0, token usage mechanism should be disabled
• Bugfix: Refresh token expired when using Microsoft 365 SMTP Oauth
• Bugfix: HTML tags on ARIA legends
• Bugfix: Fixed incorrect results when creating smart folder using total/today entries and last entry date as condition
• Bugfix: Extra comma on blocked keyword setting caused the form not working as expected
• Bugfix: Deprecated error message when using LDAP under PHP 8.1
• Bugfix: Form scheduling doesn’t work when one of the start/end date is empty

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Account Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, no action is required. We automatically update your MachForm version to the latest release.

We’re excited to announce the release of MachForm Version 27 – a new update that enhances security and makes MachForm even more enterprise-ready.

Enterprise-Grade Single Sign-On (SSO) with SAML 2.0

Version 27 introduces Single Sign-On (SSO) support using SAML 2.0 for login authentication – one of the most requested features from our enterprise customers.

With SSO enabled, your team can log in to MachForm using your existing company credentials through popular Identity Providers (IdPs) such as Microsoft Entra ID (Azure AD), Google Workspace SSO, Okta, OneLogin, and others.

Key benefits:

• Centralized User Control – Manage users and revoke access directly from your IdP.
• Enhanced Security – Reduce password fatigue and enforce your organization’s authentication policies.
• Seamless User Experience – Users log in with the same credentials they already use daily.
• Automatic User Provisioning – New accounts can be created on first login through Just-in-Time (JIT) provisioning.

This feature is available for:

• MachForm Self-Hosted – Unlimited License
• MachForm Cloud – Enterprise & Enterprise Plus plan

Read more on How to Setup MachForm with Single Sign-On.

Strengthened File Upload Security

In recent weeks, we discovered that spam bots were exploiting the file upload script to automate mass file uploads without any limitation. This not only consumed server resources but also created unnecessary storage usage for many customers.

Version 27 introduces a major improvement to file upload security:

• JWT-Based Upload Tokens – Each upload request is now validated with a secure token, making automated mass uploads much harder for spam bots.
• IP-Based Rate Limiting – Restrict the number of file uploads from a single IP within a 60-minute window to prevent abuse.
• More Accurate File Type Blocking – Improved file type validation ensures potentially harmful file types are blocked more reliably.

These changes significantly strengthen MachForm’s defense against spam and abuse, making it safer for public-facing forms that allow file uploads.

Now Available for Download

The new version of MachForm is now available for download in the Account Area.

PHP & MySQL Version Requirements

MachForm v27 requires the minimum version of PHP on your server to be at least PHP 8.0 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog

• Feature: SSO (Single Sign-On) support for login authentication
• Feature: Added option to throttle file uploads per IP address per hour
• Security: Improved file uploads security against spam bots submissions
• Bugfix: Grid widget can’t use relative date format for filtering
• Bugfix: Importing form doesn’t include the approval status field
• Bugfix: Languages not loaded correctly in merge tags
• Bugfix: Missing “reply to” information when resending entry using confirmation email template
• Bugfix: Smart folder using conditions from “Created Date” or “Last Entry Date” caused query error
• Update: Added Ukrainian language and currency
• Update: Added approver name into {approval_note} merge tag
• Update: Updated axios library with the latest version (1.11.0)

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Account Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, no action is required. We automatically update your MachForm version to the latest release.

We’re thrilled to share MachForm Version 26 with you! This update brings exciting improvements to payments, accessibility, and email integration, making your forms easier to use, more inclusive, and more secure.

Here’s a quick look at what’s new:

Accept More Payments with Stripe – 40+ Methods Available!

MachForm’s Stripe integration just got a huge upgrade! Now, you can accept over 40 different payment methods, including ACH bank transfers. This means you can easily collect payments from customers around the world using their favorite methods. More choices for your users, more successful transactions for your business!

WCAG 2.2 AA and European Accessibility Act Compliance

MachForm Version 26 forms are now fully compliant with WCAG 2.2 AA standards and the European Accessibility Act (EAA). Everyone, including individuals with disabilities, can effortlessly use your forms. With better readability, and full compliance, your forms become accessible to a broader audience, helping you reach more users and comply with essential international accessibility regulations.

Secure SMTP Email via Microsoft 365 OAuth

We’ve enhanced email security and reliability by adding Microsoft 365 SMTP OAuth support. This new integration ensures your emails are securely authenticated through Microsoft’s trusted infrastructure. Read more.

Now Available for Download

The new version of MachForm is now available for download in the Account Area.

PHP & MySQL Version Requirements

MachForm v26 requires the minimum version of PHP on your server to be at least PHP 7.4 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

Changelog

• Feature: New Stripe integration; support 40+ payment methods, including ACH bank transfer
• Feature: WCAG 2.2 AA compliance on all forms; compliance with the European Accesibility Act (EAA)
• Feature: Support for Microsoft 365 SMTP OAuth
• Update: Updated dompdf library to v3.1.0 from 0.8.5
• Bugfix: Removed duplicate javascript event handler code that caused slow operations on large forms

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Account Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, no action is required. We automatically update your MachForm version to the latest release.

Howdy folks!

PHP 8.4 was officially released to general availability on November 21, 2024. It is a major update of the PHP language and contains many new features and performance improvements.

Today, we’re happy to let you know that we’ve just released MachForm 24, which is fully compatible with PHP 8.4.

The new version of MachForm (version 24) is now available for download in the Billing Area.

PHP & MySQL Version Requirement

MachForm v24 requires the minimum version of PHP on your server to be at least PHP 7.4 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

This is a maintenance release and we recommend upgrading if you’re using PHP 8.4.

Changelog

• Update: PHP 8.4 Compatibility
• Update: Accessibility fixes related to email, phone field and form success message
• Update: When adding approvers to a form, non-admin users will only see approvers having permission to access the form only
• Update: Re-added the autocomplete functionality when adding form tags
• Bugfix: Error messages (signature & stripe page) when form being embedded using PHP code
• Bugfix: Can’t add email logic rules
• Bugfix: Grid entries can’t be printed completely

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Billing Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

We’re happy to share that MachForm 23 is here, bringing some important updates to keep your forms running smoothly and securely. In this release, we’ve upgraded the core JavaScript libraries—like jQuery, which is used across both the backend admin panel and live forms, and Kendo UI, which powers our chart generation—to their latest versions. These upgrades mean improved stability, performance, and a smoother experience for you.

 
We’ve also addressed an important security vulnerability related to PayPal’s Instant Payment Notification (IPN) to ensure your payment processing remains secure. Updating to MachForm 23 will help you stay on top of these improvements, so we recommend making the switch whenever you’re ready!

Changelog

• Update: Updated jQuery library with the latest version (v3.6.1)
• Update: Updated chart library (KendoUI) with the latest version (v2024.3.806)
• Security: Addressed potential security vulnerability related to PayPal IPN handling
• Improvement: Added search box on add/edit user permission page
• Bugfix: Index length issue on ap_session table when using MySQL 5.7
• Bugfix: Unable to connect to SMTP server using Non TLS or self-signed SSL certificate

PHP & MySQL Version Requirement

MachForm v23 requires the minimum version of PHP on your server to be at least PHP 7.4 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Billing Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, no further action is required on your part. We automatically update the MachForm version for all our cloud users with the latest version.

Howdy folks!

PHP 8.3 was officially released to general availability on November 23, 2023. It is a major update of the PHP language and contains many new features and performance improvements.

Today, we’re happy to let you know that we’ve just released MachForm 21, which is fully compatible with PHP 8.3.

The new version of MachForm (version 21) is now available for download in the Billing Area.

PHP & MySQL Version Requirement

MachForm v21 requires the minimum version of PHP on your server to be at least PHP 7.4 and MySQL version at least MySQL 5.7. If you’re still using an older version, you’ll need to upgrade your PHP and/or MySQL version first.

This is a maintenance release and we recommend upgrading if you’re using PHP 8.3.

Changelog

• Update: PHP 8.3 Compatibility
• Update: Replaced the deprecated Swiftmailer library with PHPMailer for sending emails
• Update: Now uses “UTF8MB4” as the character set for MySQL tables, to support emojis in form fields
• Bugfix: The Rating widget on the shared report doesn’t display correctly
• Bugfix: Unable to use ‘&’ on form redirect URL
• Bugfix: Approval conditions don’t work on reports and exports

How to Update

This update is FREE for all users with an active support contract.
As mentioned above, you can download it in the Billing Area.

Follow this upgrade instruction:
Upgrading MachForm Self-Hosted 

MachForm Cloud Users

If you’re subscribed to any of our MachForm Cloud plans, no further action is required on your part. We automatically update the MachForm version for all our cloud users with the latest version.