Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

• [p]Players in Germany and Netherlands will have an X-Ray Scanner tab in their Inventory. For those players, containers can only be opened via X-ray Scanner. The X-Ray Scanner will come preloaded with a one-time exclusive non-tradable "Genuine P250 | X-ray", which must be claimed before using the X-Ray Scanner to reveal items in other containers.[/p][/*]
• [p]Keyless Containers, like Souvenir Packages, can be opened without the X-Ray Scanner.[/p][/*]

New features:

• SFTP support is now based on the fzssh library

Bugfixes and minor changes:

• Fix detection of OTP requests from FileZilla Pro Enterprise Server if using non-default FTP encryption options
• MSW: Improve handling of volumes mounted as path instead of as drive letter
• *nix, macOS: Remove custom send buffer option, rely on operating system auto-tuning

A new minor release, FFmpeg 8.1 "Hoare", is now available for download. Here are some of the highlights:

• Decoders: xHE-AAC Mps212 (experimental) MPEG-H decoding via libmpeghdec
• EXIF Metadata Parsing
• LCEVC: support for parsing and forwarding metadata
• Vulkan compute-based codecs: ProRes encoding and decoding, DPX decoding
• D3D12: D3D12 H.264/AV1 encoding, scale_d3d12, mestimate_d3d12, deinterlace_d3d12 filters
• Rockchip H.264/HEVC hardware encoding
• IAMF: Projection mode Ambisonic Audio Elements muxing and demuxing
• Formats: hxvs demuxer
• Filters: drawvg, vpp_amf

This release features a lot of internal changes and bugfixes. The groundwork for the upcoming swscale rewrite is progressing. The Vulkan compute-based codecs, and a few filters, no longer depend on runtime GLSL compilation, which speeds up their initialization.

A companion post about the Vulkan Compute-based codec implementations has been published on the Khronos blog, featuring technical details on the implementations and future plans.

We recommend users, distributors, and system integrators to upgrade unless they use current git master.

Part-DB 2.9.1

Improvements

• Removed MPN fallback from LCSC barcode scanner, the SPN field is used instead for part matching (#1302)
• Automatically detect the delimiter on generic CSV BOM imports

Bug fixes

• Fixed intendation of EDA visibility checkboxes
• Fixed SAML login button (#1308, thanks to @mowoe)
• Fixed problem of GenericWeb info provider when used behind traefik (#1296)
• Fixed 500 error, when mapping in generic CSV BOM import fails (#1298)
• Fixed 500 error with displaying part prices, when a user has a currency preference different of base currency, and there is no conversion rate known for it (#1317)

Miscellaneous

• Updated dependencies
• Updated translations
• Updated kicad symbols

New Contributors

• @mowoe made their first contribution in #1308

Full Changelog: v2.9.0...v2.9.1

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

The Stable channel has been updated to 146.0.7680.80 for Windows/Mac  and 146.0.7680.80 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

• AMD Ryzen AI 7/PRO 450G/E, AI 5/PRO 440G/E & 435G/E (Kraken Point 2).
• AMD Ryzen AI 9 HX 470.
• Fix AMD Ryzen 5 5500U (Lucienne) reported as 7350U (Cezanne).
• Preliminary support of Intel Wildcat Lake.
• CQDIMM (4-ranks CUDIMM) memory support.
• Fix DLL hijacking vulnerability thanks to Kwangyun Kem.
• New Chinese translation thanks to Shinjo Kurumi.

Bugfixes and minor changes:

• FTP: Fixed path display in NSLT output

The Stable channel has been updated to 146.0.7680.75/76 for Windows/Mac  and 146.0.7680.75 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Updated 2026-03-13: The previous version of these notes included CVE-2026-3909, the fix
for which will instead be available in a future update.

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista