Skip to main content
ModPageSpeed 2.0: AVIF, WebP, and critical CSS — up to 69% less page weight on the live demo
2.0 1.15

Release Notes

mod_pagespeed 1.15 release notes — the maintained successor to the final open-source release (1.14.36.1, the last from the Apache incubator). Version history and security updates.

On this page

mod_pagespeed 1.15 is the maintained, drop-in continuation of the Apache-lineage mod_pagespeed. The current release is 1.15.0 (package v1.15.0+r15). It is the direct successor to the final open-source release, 1.14.36.1 (July 2020) — the last release made under the Apache incubator — and is actively maintained and security-patched.

Releases

Maintenance and security updates ship as package revisions of the current release; the latest is v1.15.0+r15. Each revision carries dependency and security updates with no configuration change — update to the latest revision when it is available. Packages and install commands are on the Downloads page. Security entries describe the impact and recommend updating, without exploit-level detail.

1.15.0 line — maintenance and security

Highlights across the 1.15.0 release revisions, most recent first:

  • Security and hardening. Binary-hardening of the shipped modules, added input-handling and admin-endpoint robustness, and security updates to the bundled dependencies. Updating to the latest revision is recommended.
  • Wider Linux packaging. Added packages for RHEL / Rocky / AlmaLinux / CloudLinux 8 and 10 — including cPanel / EasyApache 4 — plus arm64 builds, alongside the existing Apache and nginx support.
  • Admin console. Updated for per-site licensing.

1.15.0 — GA · June 2026

The maintained successor to the final open-source mod_pagespeed, 1.14.36.1 (the last Apache-incubator release). 1.15 continues the 1.1 line with no functional change: package names (mod-pagespeed, nginx-module-pagespeed, ea-apache24-mod_pagespeed) and configuration are unchanged, and the X-Mod-Pagespeed response header reports 1.15.0.0.

See What’s new in 1.15 for the full modernization — the Cyclone Cache backend, support for Apache and nginx from a single codebase, and the modern build with prebuilt, signed packages.

Security updates

mod_pagespeed 1.15 is actively security-maintained. All known CVEs from the open-source mod_pagespeed project have been resolved, and the maintained line has had substantial additional security and robustness work since it took over from the final open-source 2020 release. We recommend running the latest release.

At a high level, that work spans:

  • Memory-safety hardening across the engine and request-handling paths, backed by continuous sanitizer and fuzz testing.
  • Robustness against malformed or oversized input — untrusted content and abnormal conditions are handled gracefully instead of crashing or exhausting resources.
  • Admin-surface hardening — stricter authentication, safer defaults, and improved resilience of administrative and reporting endpoints to malformed or unauthorized external requests.
  • Binary hardening of the shipped modules (RELRO, BIND_NOW, stack-protector, FORTIFY_SOURCE) and a reduced attack surface.
  • Ongoing dependency updates, including image codecs and tracking upstream nginx security releases.

We keep these descriptions general by design. If your servers run an older open-source mod_pagespeed build, moving to 1.15 is the supported way to get all of the above.

Reporting a security issue

Found a security problem? Please email info@we-amp.com so we can investigate and ship a fix.