Security Release

• Update Instructions
• Update details on blog

BookStack v25.11.6 has been released.

This is a security release to address a vulnerability in our dependencies related to XML
handling, which could allow users to replay SAML authentication requests with specially crafted & manipulated requests.

It's strongly advised to update if you're using SAML authentication for BookStack.

Full List of Changes

• Updated application PHP dependencies.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated OIDC state handling to prevent other requests causing the process to fail, which was occurring in Chromium based browsers. (#5929)
• Updated session history handling to prevent redirects to common asset locations. (#5925)
• Updated PHP dependency versions.

Note: This was originally accidentally published as v24.11.4, so this is essential a re-publish with the correct version.
The wrong version number commit/history has been retained though to prevent any breakages for git-managed environments.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed error thrown when attempting to send new comment notifications. (#5918)
• Updated PHP dependency versions.

Release v24.11.4

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed overly-strict image access permission changes in v25.11.2 which could block images when a secure storage option was used alongside public access. (#5906, #5909)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed image permission checking in ZIP exports to prevent error and to align with UI access. (#5899, #5885)
• Updated translations with latest Crowdin changes. (#5887)
• Updated test environment refresh database command to set env timezone option to ensure test database is consistent. (#5881)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixes database queries causing errors with versions of MySQL <= 5.7. (#5877)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added API endpoints for comments. (#5850, #4194))
• Added API endpoints for reading image data. (#5860, #5519)
• Added Groovy code syntax highlighting support. (#5822)
• Added new flags to the create admin command. (#5749)
• Added option for display timezone, and improved UI use consistency. (#5790, #4786)
• Added proper pagination to search. (#5854)
• Updated API docs with better model ordering, and quick navigation select. (#5865)
• Updated codebase to meet PHPstan level 3. (#5785)
• Updated database comments table to remove redundant text column. (#4821)
• Updated database format for core item types. (#5800)
• Updated framework to Laravel 12, and perform some major dependency upgrades. (#5782)
• Updated page delete handling to nullify related images instead of leaving old IDs. (#5846)
• Updated permission handling in code to use enums instead of strings. (#5793)
• Updated translations with latest Crowdin changes. (#5843)
• Updated user delete handling to nullify, or better handle, ID references on delete. (#5844)
• Fixed old API-scripts link leading to archived repo. (#5813)
• Fixed search timeout when a high per-page frequency match was encountered. (#5863)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5786)
• Updated PHP package versions.
• Fixed PWA manifest access when behind authenticated proxies. Thanks to @tfnh621. (#5820)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated new WYSIWYG editor with various fixes focused on collapsible block behaviour & interaction. (#5775)
• Updated translations with latest Crowdin changes. (#5759)
• Updated versions of PHP dependencies.
• Updated code to address some remaining PHP 8.4 deprecations.
• Fixed diagrams in ZIP imports not being editable post-import. (#5761)
• Fixed books detaching from shelves on shelf update where users don't have permission to view child books. (#5728)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5740)
• Updated PHP package versions.
• Fixed open redirect with stricter location checking.
• Fixed users being logged out on ZIP import errors. (#5754)
• Fixed menu accessibility tagging. (#5753, #5752)
• Fixed scenarios where MAIL_PORT could interfere with tests. (#5755)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added plaintext markdown page editor input option. (#5725, #5705)
• Added ZIP Import/Export API endpoints. Thanks to @LM-Nishant. (#5721, #5592)
• Added tag-classes based upon parent book/chapter. (#5681, #5217)
• Updated comment and description inputs to use the new WYSIWYG editor. (#5676)
• Updated 3-column layout with better usability. (#5685)
• Updated changelog input to large area with character counter. Thanks to @shresthkapoor7. (#5663, #5434)
• Updated mail logic to remove use of our custom patched Symfony mailer. (#5636)
• Updated translations with latest Crowdin changes. (#5696)
• Updated many actions to better handle parallel permission generation. (#5689, #4838)
• Updated new WYSIWYG editor with improvements & fixes. (#5731)
• Updated PHP package versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added Nepali Language. (#5677)
• Updated translations with latest Crowdin changes. (#5695)
• Updated PHP package versions.
• Updated content diffs to better group non-ascii language characters into words.
• Fixed error when loading opensearch endpoint with certain PHP in some environments. (#5673)
• Fixed namespace for test case. Thanks to @bumperbox. (#5668)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated new WYSIWYG editor with a range of fixes: (#5653)
  • Added toolbar for media elements for easier menu access.
  • Updated media embed code field to show existing embed code for direct editing.
  • Updated media resize handling to be more reliable and to retain focus after resize.
  • Updated table resize handles to be more efficient, and prevented them wondering far away from tables so often.
  • Fixed buggy media selection scenarios.
  • Fixed media form "src" field not working when video is using source elements.
  • Fixed table resize handles overlapping table captions.
  • Fixed text formatting being inconsistent on new paragraphs.
  • Fixed tiny image resize square on image insert.
• Fixed comment updates showing incorrect notification text. (#5642)
• Fixed search system ignoring words adjacent to non-breaking spaces. (#5640)
• Updated translations with latest Crowdin changes. (#5637)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added support for comments to reference page sections. (#5584, #1265)
• Added comment archive support. (#5584)
• Added AVIF image support. (#5625, #5474)
• Added new system info API endpoint. (#5607, #5603)
• Added user avatar image fetching for OIDC authentication. Thanks to @rubentalstra. (#5626, #5429, #4271)
• Updated new WYSIWYG editor with further fixes. (#5627)
• Updated page-edit redirect to page-view if permission failed on edit. (#5568)
• Updated translations with latest Crowdin changes. (#5622)
• Update codebase and packages to address php 8.4 depreactions. (#5358)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed incorrect image directory permissions. (#5609, #5605)
• Updated translations with latest Crowdin changes. (#5608)
• Updated PHP packages.
• Updated system CLI:
  • Fixed handling of database credentials with escaped special characters.
  • Updated download-vendor command with extra clean-up handling.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated PHP dependency package versions to fix compatibility issue on systems with recent libxml versions (eg. Arch Linux).

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated image file permission error handling for images to log instead of fail. (#5601, #5269)
• Fixed style issues in exports due to CSS variables being ignored. (#5576)
• Updated translations with latest Crowdin changes. (#5566)
• Updated PHP dependency package versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated name sort rule handling to consider accented characters. Thanks to @bernardo-campos. (#5550, #5542)
• Updated translations with latest Crowdin changes. (#5537)
• Updated PHP dependency package versions.
• Fixed a range of issues for the new WYSIWYG editor: (#5558)
  • Fixed content saving issues, specifically on save shortcut usage.
  • Fixed list conversion & parsing which was mishandling tasks lists.
  • Fixed a range of list selection and nesting scenarios.
  • Updated keyboard navigation to be more reliable around images & media embeds.
• Fixed comment times not being shown. (#5555)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Added ipv6 database host address support. (#5464)
• Updated translations with latest Crowdin changes. (#5505)
• Updated revisions list to hide changes link for oldest revision. (#5454)
• Updated system CLI:
  • Added new download-vendor command.
  • Updated restore command to take environment variables into account. (#5489)
  • Updated backup command to use mariadb-dump where available. (#5373)
  • Updated update command to check, warn and exit early if the CLI is making changes to itself. (#5335)
  • Updated MySQL handling to use option files to pass details to CLI executions.
  • Updated MySQL handling to consider common xampp directory.
• Updated PHP dependencies.

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• PHP Version Requirement Change - The minimum supported PHP version has changed from PHP 8.1 to PHP 8.2 in this release. Please see our "Updating PHP & Composer" documentation page for guidance on updating PHP where needed.
• Sorting - Basic sort order changes for chapters and pages will no longer affect the "updated" time for these items. Wider changes during sorting (moving to a new parent) will still increment the "updated" time.
• Theme System - A public/ folder within an active theme folder will now be exposed for public access. If for some reason you already have such a folder that you don't want exposed, rename it before upgrading.

Full List of Changes

• Added sort rules with automatic book sorting. (#5457, #2065)
• Added method to serve public files via the theme system. (#5405, #3904)
• Updated app framework to Laravel 11. (#5400)
• Updated codebase minimum PHP version from 8.1 to 8.2. (#5397)
• Updated codebase to address various PHP 8.4 deprecations. (#5491)
• Updated new WYSIWYG editor with a range of fixes. (#5415)
• Updated search indexing to handle guillemets. Thanks to @inv-hareesh. (#5475, #5471)
• Updated search indexing with advanced tokenization along with hyphen handling. (#5488, #2095)
• Updated sort handling to not increment the updated date for sorted content. (#1777)
• Updated translations with latest Crowdin changes. (#5409, #5399)
• Fixed incorrect image orientation handling. (#5462)
• Fixed layout issues at specific breakpoints. (#5396)
• Fixed LDAP error thrown when server does not provide a cn value. (#5443)
• Fixed wrong condition for showing new books list. Thanks to @Silverlan. (#5470)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated export logic to have better temp file clean-up. (#5374, #5379)
• Updated in-app export endpoints to have rate limits. (#5379)
• Updated translations with latest Crowdin changes. (#5370)
• Updated PHP dependency package versions.
• Fixed markdown editor focus jumping on image insert. (#5384)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added new portable ZIP import/export format. (#5260, #43)
• Added support for concatenating multiple LDAP attributes in displayName. Thanks to @MatthieuLeboeuf. (#5295, #1684)
• Added book and chapter titles to search API results. Thanks to @rashadkhan359. (#5280, #5140)
• Added cover image details to book/shelf API list responses. (#5180)
• Updated dev dockerfile setup to simplify things. Thanks to @johnroyer. (#5293)
• Updated guest account form to hide language preference to prevent confusion. (#5356)
• Updated new WYSIWYG editor codebase to merge nodes & re-organise code. (#5349)
• Updated notification handling to not block user with errors on send failures. (#5315)
• Updated our JavaScript service files to TypeScript. (#5259)
• Updated project NPM package & SASS deprecations/changes. (#5354)
• Updated the new WYSIWYG editor with a range of fixes/updates. (#5365)
• Updated translations with latest Crowdin changes. (#5345)
• Fixed API attachment update issue when name not provided. (#5353)
• Fixed attachment actions showing when lacking permissions. (#5323)
• Fixed missing book description and formatting in markdown exports. Thanks to @czemu. (#5313)
• Fixed page indexing breaking with very large pages. (#5322)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated PHP dependency package versions.
• Updated translations with latest Crowdin changes. (#5331)
• Fixed attachment stream handling for better Chrome video support. (#5342, #5088)
• Fixed page include issue caused by PHP 8.3.14 bug. (#5341)
• Fixed OIDC userinfo handling when response included charset content type. Thanks to @wesbiggs. (#5337)
• Fixed differing code line height between dark/light modes. (#5146)

Security Release

• Update Instructions
• Update details on blog

BookStack v24.10.2 has been released.

This is a security release to address a vulnerability in our dependencies where specifically formatted requests could be used to manipulate application configuration in environments where a certain PHP option (register_argc_argv) is enabled. This is not an option that's typically enabled in production web-serving environments, but it's advised to update where uncertain.

Full List of Changes

• Updated application PHP dependencies.
• Updated translations with latest Crowdin changes. (#5317)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated System CLI with fixes and updated dependencies. (#5312)
• Fixed update-url command not updating revisions & drafts. (#5292)
• Fixed the namespaces of some tests. Thanks to @LordSimal. (#5291, #5071)
• Fixed misaligned user input validation. (#5263)
• Updated setting categories to validate by for existing views, allowing custom categories to be used via the theme system. Thanks to @LachTrip. (#5255, #5251)
• Updated translations with latest Crowdin changes. (#5250)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added ability to configure the PDF export command timeout. (#5119)
• Added new Lexical based editor. (#5058)
• Added not operator to search. (#4536)
• Added OpenSearch support. Thanks to @maximilian-walter. (#5198)
• Added SAS and R code language support. (#5206)
• Added search term negation support. (#5239)
• Added Welsh language to language list. (#5240)
• Updated dompdf and bacon-qr-code libraries to new major versions. (#5222)
• Updated page editor type to always exist in API and database. (#5117)
• Updated translations with latest Crowdin changes. (#5188)
• Updated user account creation to provide better email failure feedback. (#5195)
• Fixed drifting search icon on smaller screen sizes. (#5204)

Security Release

• Update Instructions
• Update details on blog

BookStack v24.05.4 has been released.

This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, and an issue with content visibility in "book-show" API responses which would not have permissions applied properly.

Upgrade is strongly advised for instances where LDAP authentication is used with group syncing, or where the REST API is used to fetch contents of books ("books-read" endpoint).

Thanks to Linus Nagel and their team at WorkSimple GmbH for reporting this API vulnerability.

Full List of Changes

• Updated API docs with consistent parameter types. (#5183)
• Updated default content iframe embed max-width to align with other content types. (#5130)
• Updated LDAP group sync to query via full DN.
• Updated translations with latest Crowdin changes. (#5118)
• Fixed books read API response not applying visibility control to chapter contents.
• Fixed API docs users response showing extra property. (#5178)
• Fixed database error thrown when using out dev docker setup. (#5124)
• Fixed RTL display issues with tasklist checkboxes. (#5134)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5065)
• Updated callouts with LTR text handling where supported. (#5104)
• Updated project PHP and JavaScript dependencies.
• Fixed blocked diagrams.net loading when using a custom URL that includes a port. (#5107)
• Fixed OIDC incorrectly calling userinfo endpoint when valid empty groups provided. (#5101)
• Fixed image replacement being case-sensitive when it should not be. Thanks to @DanielGordonIT. (#5096) (#5095)
• Fixed HTML code block highlighting when custom self-closing tags are used. (#5078)
• Fixed testing when custom ALLOWED_IFRAME_SOURCES is set. Thanks to @mueller-contria. (#5069) (#5068)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed initial page publish changelog message not being saved if set. (#5056)
• Fixed incorrect WYSIWYG code shortcut reference. Thanks to @bradenterpstra01. (#5036)
• Added role create/update validation to warn about too-long external auth ID values. (#5037)
• Updated GIF thumbnail generation to no support animation, to avoid issues with large-frame-count GIFs. (#5029)
• Updated translations with latest Crowdin changes. (#5022)
• Updated backup code description text to clarify their use. (#5017)
• Updated docker-compose.yml to remove deprecated version. Thanks to @michaelortnerit. (#5052)