Our DirectAdmin Lucee hosting has finally moved from Lucee 5 to Lucee 6. It's taken longer than we'd have liked, because of a security bug we found in the official build over a year ago, one that meant Lucee 5 looked set to be the last version we could safely run. We've now fixed it ourselves, and every Lucee hosting account with us runs on our own patched build.
In short:
- We found a security bug in early Lucee 6 builds over a year ago, affecting multi-context password handling.
- We reported it, then tested again later. The issue was still there.
- For a while, staying on Lucee 5 looked like the only safe option, since Lucee 7 removes multi-context too.
- With the in-house capability to fix it ourselves, we did, and Lucee 6 is now live across our DirectAdmin hosting.
The upgrade, a year in the making

Lucee on our DirectAdmin platform, the one that's replacing our older cPanel-based Lucee 5 hosting, has moved to Lucee 6, alongside CFManager Lucee Edition and everything else in our Lucee packages. If you're on our Lucee hosting, you'll have seen it land, and the Lucee hosting page has been updated with the details and screenshots.
It's a change we could have made a long time ago. We didn't, because of what we found the first time we tested Lucee 6 properly.
What we found
Lucee's shared hosting model relies on multi-context mode: one server, many separate web contexts, each belonging to a different customer's site, each with its own Lucee web administrator login. A web context without its own admin password is meant to fall back to a default web password, a value the hosting provider sets, kept separate from the password protecting the server itself.
In early Lucee 6 builds, that fallback broke. A web context without its own password would, after a restart, inherit the server's admin password rather than the intended default. That matters, because the server password protects the whole box, every customer on it, not just one site. Lucee 5 got this right. Lucee 6 didn't.
We reported it at the time, then checked back on it more than once over the following year. It never changed.
Why now
For a while, the honest plan was to stay on Lucee 5 and leave it there. Lucee 6 had this issue, and Lucee 7 does away with multi-context altogether, so unless we could fix it ourselves, there genuinely wasn't a version to move to.
What changed is us. In the time since, we've built up the in-house engineering capability to take this on properly, so rather than keep waiting, we traced the fault to a check that should have confirmed whether a custom default password was actually set, and rebuilt Lucee 6 with it fixed.
"We didn't set out to become a Lucee maintainer," says Jonathon, founder of Host Media. "But once we had the ability to fix something that mattered this much ourselves, there wasn't a good reason to keep waiting."
So we fixed it ourselves
That build is now maintained as its own fork: we track upstream 6.2.x security fixes as they land, keep our own changes small and clearly marked, and version our builds so it's obvious what's running (you'll see something like 6.2.7.16-hostmedia in Server Admin). Every Lucee instance we run is built from this fork now, never a stock upstream binary.
The repository is private rather than public while we get our footing and have a playground of sorts, but we're happy to talk through the technical detail with anyone who wants it. Just get in touch with the team.
What this means for your hosting
In practice: your Lucee hosting keeps getting upstream security fixes as they land, plus this one and anything else we turn up, on our own schedule. Multi-context isn't going anywhere on our platform, even as the wider Lucee project moves past it with v7.

It sits alongside CFManager Lucee Edition and JavaPulse integrated monitoring, already built into every plan: the same underlying idea, that Lucee hosting with us is genuinely looked after, not just installed and left running.
Full details on the current Lucee 6 packages, screenshots included, are on the Lucee hosting page. Questions welcome any time via the support helpdesk.