Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#6067)
• Updated PHP dependency versions.

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

• Updated user creation to only use validated input from registration.
• Updated PHP package versions.
• Updated translations with latest Crowdin changes. (#6064)
• Updated PHP_CodeSniffer repository link. Thanks to @rodrigoprimo. (#6060)
• Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#6059)

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#6026)

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#6026)

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#6023)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.3 has been released.

This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.

We strongly advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.

Additional Update Notices

• Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.

Full List of Changes

• Updated application PHP dependencies.
• Updated session-based API authentication to only be active for GET requests.
• Updated page content filtering to remove many common form elements & attributes.
• Updated translations with latest Crowdin changes. (#5997)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5970)
• Updated PHP dependency versions.

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.1 has been released.

This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.

We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.

Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.

Full List of Changes

• Updated application PHP dependencies.
• Add some additional resource-based limits. (#5968)
• Updated translations with latest Crowdin changes. (#5962)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added user mentions for comments. (#5944, #560)
• Added slug history tracking system. (#5913, #5411)
• Added initial developer API for the new WYSIWYG editor. (#5928, #5763)
• Added internal reference handling on content copying. (#5917, #3239)
• Added settings to control the number of books/shelves that will be displayed per page. Thanks to @Xenoamor. (#5606, #2343)
• Updated translations with latest Crowdin changes. (#5933)
• Updated new WYSIWYG editor with a range of fixes. (#5939)
• Updated BookStack system CLI to v0.4. (#5956)
• Updated CSS dark/light mode handling so all CSS variables exist by default. (#5923)
• Updated "Microsoft URL Rewrite Module for IIS" download link. Thanks to @gerundt. (#5952)
• Updated image thumbnail generation to more reliably log issues on error. (#5869)
• Updated database to add index to views table to make view-based queries more efficient. (#5948)
• Updated application database requirements. (#5882)
• Fixed search pagination not using APP_URL value, and breaking for sub-path usage. (#5951)
• Fixed search pagination overflowing view on smaller screen sizes. (#5920)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.11.6 has been released.

This is a security release to address a vulnerability in our dependencies related to XML
handling, which could allow users to replay SAML authentication requests with specially crafted & manipulated requests.

It's strongly advised to update if you're using SAML authentication for BookStack.

Full List of Changes

• Updated application PHP dependencies.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated OIDC state handling to prevent other requests causing the process to fail, which was occurring in Chromium based browsers. (#5929)
• Updated session history handling to prevent redirects to common asset locations. (#5925)
• Updated PHP dependency versions.

Note: This was originally accidentally published as v24.11.4, so this is essential a re-publish with the correct version.
The wrong version number commit/history has been retained though to prevent any breakages for git-managed environments.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed error thrown when attempting to send new comment notifications. (#5918)
• Updated PHP dependency versions.

Release v24.11.4

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed overly-strict image access permission changes in v25.11.2 which could block images when a secure storage option was used alongside public access. (#5906, #5909)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed image permission checking in ZIP exports to prevent error and to align with UI access. (#5899, #5885)
• Updated translations with latest Crowdin changes. (#5887)
• Updated test environment refresh database command to set env timezone option to ensure test database is consistent. (#5881)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixes database queries causing errors with versions of MySQL <= 5.7. (#5877)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added API endpoints for comments. (#5850, #4194))
• Added API endpoints for reading image data. (#5860, #5519)
• Added Groovy code syntax highlighting support. (#5822)
• Added new flags to the create admin command. (#5749)
• Added option for display timezone, and improved UI use consistency. (#5790, #4786)
• Added proper pagination to search. (#5854)
• Updated API docs with better model ordering, and quick navigation select. (#5865)
• Updated codebase to meet PHPstan level 3. (#5785)
• Updated database comments table to remove redundant text column. (#4821)
• Updated database format for core item types. (#5800)
• Updated framework to Laravel 12, and perform some major dependency upgrades. (#5782)
• Updated page delete handling to nullify related images instead of leaving old IDs. (#5846)
• Updated permission handling in code to use enums instead of strings. (#5793)
• Updated translations with latest Crowdin changes. (#5843)
• Updated user delete handling to nullify, or better handle, ID references on delete. (#5844)
• Fixed old API-scripts link leading to archived repo. (#5813)
• Fixed search timeout when a high per-page frequency match was encountered. (#5863)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5786)
• Updated PHP package versions.
• Fixed PWA manifest access when behind authenticated proxies. Thanks to @tfnh621. (#5820)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated new WYSIWYG editor with various fixes focused on collapsible block behaviour & interaction. (#5775)
• Updated translations with latest Crowdin changes. (#5759)
• Updated versions of PHP dependencies.
• Updated code to address some remaining PHP 8.4 deprecations.
• Fixed diagrams in ZIP imports not being editable post-import. (#5761)
• Fixed books detaching from shelves on shelf update where users don't have permission to view child books. (#5728)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5740)
• Updated PHP package versions.
• Fixed open redirect with stricter location checking.
• Fixed users being logged out on ZIP import errors. (#5754)
• Fixed menu accessibility tagging. (#5753, #5752)
• Fixed scenarios where MAIL_PORT could interfere with tests. (#5755)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added plaintext markdown page editor input option. (#5725, #5705)
• Added ZIP Import/Export API endpoints. Thanks to @LM-Nishant. (#5721, #5592)
• Added tag-classes based upon parent book/chapter. (#5681, #5217)
• Updated comment and description inputs to use the new WYSIWYG editor. (#5676)
• Updated 3-column layout with better usability. (#5685)
• Updated changelog input to large area with character counter. Thanks to @shresthkapoor7. (#5663, #5434)
• Updated mail logic to remove use of our custom patched Symfony mailer. (#5636)
• Updated translations with latest Crowdin changes. (#5696)
• Updated many actions to better handle parallel permission generation. (#5689, #4838)
• Updated new WYSIWYG editor with improvements & fixes. (#5731)
• Updated PHP package versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added Nepali Language. (#5677)
• Updated translations with latest Crowdin changes. (#5695)
• Updated PHP package versions.
• Updated content diffs to better group non-ascii language characters into words.
• Fixed error when loading opensearch endpoint with certain PHP in some environments. (#5673)
• Fixed namespace for test case. Thanks to @bumperbox. (#5668)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated new WYSIWYG editor with a range of fixes: (#5653)
  • Added toolbar for media elements for easier menu access.
  • Updated media embed code field to show existing embed code for direct editing.
  • Updated media resize handling to be more reliable and to retain focus after resize.
  • Updated table resize handles to be more efficient, and prevented them wondering far away from tables so often.
  • Fixed buggy media selection scenarios.
  • Fixed media form "src" field not working when video is using source elements.
  • Fixed table resize handles overlapping table captions.
  • Fixed text formatting being inconsistent on new paragraphs.
  • Fixed tiny image resize square on image insert.
• Fixed comment updates showing incorrect notification text. (#5642)
• Fixed search system ignoring words adjacent to non-breaking spaces. (#5640)
• Updated translations with latest Crowdin changes. (#5637)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added support for comments to reference page sections. (#5584, #1265)
• Added comment archive support. (#5584)
• Added AVIF image support. (#5625, #5474)
• Added new system info API endpoint. (#5607, #5603)
• Added user avatar image fetching for OIDC authentication. Thanks to @rubentalstra. (#5626, #5429, #4271)
• Updated new WYSIWYG editor with further fixes. (#5627)
• Updated page-edit redirect to page-view if permission failed on edit. (#5568)
• Updated translations with latest Crowdin changes. (#5622)
• Update codebase and packages to address php 8.4 depreactions. (#5358)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed incorrect image directory permissions. (#5609, #5605)
• Updated translations with latest Crowdin changes. (#5608)
• Updated PHP packages.
• Updated system CLI:
  • Fixed handling of database credentials with escaped special characters.
  • Updated download-vendor command with extra clean-up handling.