What’s New?
Licence expiry removed — SelectHR Evo licences will no longer expire, preventing unexpected service interruptions
P11D & P11D(b) Compliance — Updated electronic filing rules and Class 1A NIC rate for the 2025/26 tax year
Intercom Reclassified as Essential Cookie — Ensuring all users have uninterrupted access to customer support
Security Hardening — Extensive remediation of vulnerabilities across the web application, Mobile App, and build infrastructure
Bug Fixes — Resolved issues in Training, Admin Tool, payroll submission, cookie handling, and more
Licence Expiry Removed from SelectHR Evo
Licences for SelectHR Evo (v5.0) will no longer expire, eliminating the risk of unexpected service interruptions caused by licence timeout.
What’s changed?
Expiry date removed: The expiry date field has been removed from the licence schema. Module entitlements and employee count limits continue to be validated as normal.
Benefits
No more service outages caused by licence expiry for both hosted and on-premise Evo customers
Module entitlements and employee count limits remain fully enforced
No action required by customers
P11D & P11D(b) Updated for 2025/26 Tax Year
Electronic filing rules for P11D and P11D(b) submissions have been updated to meet HMRC’s requirements for the 2025/26 tax year, ensuring submissions pass HMRC validation.
What’s changed?
Updated business validation rules (BVR): BVRs for P11D and P11D(b) have been refreshed to align with HMRC’s 2025/26 published requirements.
Corrected tax year date references: Date references in Sections F and H have been updated to reflect the 2025/26 tax year.
Class 1A NIC rate applied: The new Class 1A NIC rate is now applied across P11D(b) Data Items 111, 112, and 119.
Benefits
Payroll teams can submit 2025/26 P11D and P11D(b) returns with confidence they will pass HMRC validation
Avoids electronic filing rejections due to outdated validation rules
No manual action required by customers
Intercom Reclassified as an Essential Cookie
The Intercom cookie has been reclassified from Functional to Essential in the Cookie Policy, ensuring all users have uninterrupted access to customer support.
What was the challenge?
The reclassification ensures the Cookie Policy is accurate, GDPR-compliant, and that support is always available.
What’s changed?
Cookie reclassification: Intercom has been moved from the Functional cookie category to Essential, reflecting its role as the primary customer support channel.
GDPR compliance: The reclassification meets GDPR criteria for an Essential service, keeping the Cookie Policy accurate and compliant.
Benefits
• Intercom support widget loads for all users regardless of their cookie preferences
• Users who previously opted out of Functional cookies will now have access to customer support
• Support teams should note that Intercom availability is no longer dependent on cookie consent choices
Security Improvements
This release includes extensive security remediation work across the SelectHR web application, Mobile App, and build infrastructure.
These changes address vulnerabilities identified through security scanning tools (ArmorCode/SonarQube), CVE advisories, and internal code reviews.
ID | Title | Resolution | Action Required |
1570136 | Hardcoded database password removed from Licence Key Generator | A hardcoded database password has been removed from the Licence Key Generator configuration file. This is an internal security hardening measure that reduces the risk of credential exposure. No action required by customers or support teams. | No action required by customers. |
1570155 | XSS vulnerability fixed in Training module (Enter Training page) | User-supplied input in the Training module is now properly sanitised before being displayed back to the user, protecting against cross-site scripting (XSS) attacks. | No action required by customers. |
2051596 2115447 | Open redirect vulnerabilities fixed in Login.aspx and Send Invite page | The login page and Send Invite page now validate all redirect URLs before forwarding users, preventing redirection to untrusted external websites and protecting against phishing attacks. | No action required by customers. |
2170624 | Unsafe deserialisation vulnerabilities fixed with type whitelisting and MAC verification | Deserialisation processes across the application now use type whitelisting and MAC verification to validate data before processing, protecting against potential remote code execution attacks. | No action required by customers. |
2201875 | Data breach risk fixed: document download links now enforce authorisation checks | Document download links now enforce proper authorisation checks, preventing users from accessing documents belonging to other employees by modifying the item number in the URL. | Support teams should be aware this resolves a critical data breach risk. |
Multiple (ArmorCode) | ArmorCode vulnerability remediation — dependency upgrades and codebase hardening | A number of third-party library vulnerabilities identified via ArmorCode security scanning have been remediated in this release. This includes upgrading affected dependencies (fast-xml-parser, js-yaml, picomatch, jQuery, activesupport, System.IdentityModel.Tokens.Jwt) across the web application, Mobile App, and build infrastructure, as well as removing unused and legacy code flagged as security hotspots (vendored libraries, hardcoded credentials, legacy scripts). No functional changes to end-user workflows. | No action required by customers. |
Bug Fixes
The following defects have been resolved in this release.
ID | Title | Resolution | Action Required |
625106 | Policy Document process Listing tabs key mismatch | Fixed a key mismatch issue in the Policy Document process Listing, Confirmed, and Unconfirmed tabs that was causing the process to abort. | No action required by customers. |
646169 | Payroll submission incorrect effective-to date on ending an appointment | Fixed an issue with incorrect effective-to dates being sent during payroll submission when ending an appointment. | Support teams should double-check fixed end dates that may now be used instead of appointment end dates. |
2100571 | Cookie preference storage limited to 10 users per shared device | Cookie preference storage is now limited to a maximum of 10 users per shared device, eliminating Chrome console errors on kiosk or hot-desk environments. Support teams can close any open tickets related to console errors on shared devices. | No action required by customers. |
2166729 | Standard Reports export via Export Packaging Wizard no longer breaks Admin Tool | Fixed an issue where using the Export Packaging Wizard to export Standard Reports was causing the Admin Tool to become unresponsive. Administrators can now reliably export Standard Reports without disruption. | No action required by customers. |
2174658 | Error when saving a Trainer in Event Days (Copy) | Fixed an error that occurred when saving a Trainer record within the Event Days (Copy) function in the Training module. Training administrators can now copy event days and save trainer assignments without errors. | No action required by customers. |
How to access this update
Updates are applied automatically.
Test systems: 19th April 2026
Live systems: 26th April 2026
Your schedule will be visible in the Admin area of your system.