photoprism

v260523-0544f71c1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 11d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ai go google-photos machine-learning photography private-cloud

+2 more

self-hosted tensorflow

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 11d

Search queries now use parameterized statements for all user input.

Why it matters: Mitigates injection attacks on search engine inputs; critical for data integrity and security.

Summary

AI summary

Broad release touches What's new?, Config, Login, and Labels.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Search queries now use parameterized statements for all user input. Search queries now use parameterized statements for all user input. Source: llm_adapter@2026-05-23 Confidence: high	—
Breaking	Medium	Dropped legacy Pigo detector in favor of ONNX-based face recognition. Dropped legacy Pigo detector in favor of ONNX-based face recognition. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature
Feature	Medium	Added support for NOT & AND operators in the label filter. Added support for NOT & AND operators in the label filter. Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Added a drag-and-drop zone to the file upload dialog. Added a drag-and-drop zone to the file upload dialog. Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Added native HEIC/AVIF reader and upgraded libheif to v1.21.2. Added native HEIC/AVIF reader and upgraded libheif to v1.21.2. Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Added support for Vulkan hardware acceleration in video transcoding via FFmpeg 8. Added support for Vulkan hardware acceleration in video transcoding via FFmpeg 8. Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Added `zstd` compression support for faster loading times. Added `zstd` compression support for faster loading times. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Low	Viewer sidebar allows manual tagging of faces on pictures. Viewer sidebar allows manual tagging of faces on pictures. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Sidebar shows editable metadata, albums, and labels in the viewer. Sidebar shows editable metadata, albums, and labels in the viewer. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Enhanced login page with "Stay signed in on this device" toggle. Enhanced login page with "Stay signed in on this device" toggle. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Hardened WebDAV timeouts, cancellation, and Depth‑1 fallback diagnostics. Hardened WebDAV timeouts, cancellation, and Depth‑1 fallback diagnostics. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Added fallback for servers that only allow `PROPFIND` with a Depth of 1 in WebDAV. Added fallback for servers that only allow `PROPFIND` with a Depth of 1 in WebDAV. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	CLI `vision run` command now updates sidecar YAML files. CLI `vision run` command now updates sidecar YAML files. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Added CLI `faces config` subcommand to list face‑related options. Added CLI `faces config` subcommand to list face‑related options. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Added read‑only support for the Model Context Protocol (MCP). Added read‑only support for the Model Context Protocol (MCP). Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Added `--disable-mcp` flag to disable Model Context Protocol support. Added `--disable-mcp` flag to disable Model Context Protocol support. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Removed limitation for vision model names to be lowercased in config. Removed limitation for vision model names to be lowercased in config. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Default HTTP and HTTPS ports are stripped from base URLs in config. Default HTTP and HTTPS ports are stripped from base URLs in config. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Dependency
Dependency	Medium	Upgraded Go from v1.26 to v1.26.3. Upgraded Go from v1.26 to v1.26.3. Source: llm_adapter@2026-05-23 Confidence: high	—
Dependency	Medium	Upgraded ONNX Runtime to v1.25.1. Upgraded ONNX Runtime to v1.25.1. Source: llm_adapter@2026-05-23 Confidence: high	—
Dependency	Low	Upgraded Docker base image to Ubuntu 26.04 LTS (Resolute Raccoon). Upgraded Docker base image to Ubuntu 26.04 LTS (Resolute Raccoon). Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Performance
Performance	Low	Added pre‑compressed frontend bundles for faster loading times. Added pre‑compressed frontend bundles for faster loading times. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Performance	Low	Improved worker auto‑configuration based on number of CPU cores. Improved worker auto‑configuration based on number of CPU cores. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Performance	Low	Logs now record information about long‑running processes. Logs now record information about long‑running processes. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixed OIDC redirect of unauthenticated users when opening direct links. Fixed OIDC redirect of unauthenticated users when opening direct links. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Fixed OIDC provider initialization retry after transient discovery failure. Fixed OIDC provider initialization retry after transient discovery failure. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Medium	Fixed nil‑DB race in async count and cover update goroutines. Fixed nil‑DB race in async count and cover update goroutines. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Medium	Fixed settings dialog to allow credentials for existing WebDAV services to be changed. Fixed settings dialog to allow credentials for existing WebDAV services to be changed. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Medium	Fixed flags placed after positional arguments being silently dropped in the CLI. Fixed flags placed after positional arguments being silently dropped in the CLI. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Refactor	Low	Consolidated SQL driver names and parsing in `pkg/dsn`. Consolidated SQL driver names and parsing in `pkg/dsn`. Source: granite4.1:30b@2026-05-23-audit Confidence: low	—

Full changelog

This update introduces a redesigned Info Sidebar that lets you edit metadata, albums, and labels as well as manually tag faces without leaving the full-screen viewer. On the AI side, our ONNX-based face recognition pipeline has fully replaced the legacy Pigo detector, and the vision.yml configuration now accepts mixed-case model names so all identifiers from Hugging Face, Ollama, and OpenAI-compatible catalogs can be used.

Media handling has been thoroughly modernized: video transcoding now supports Vulkan hardware acceleration via FFmpeg 8, images use a native HEIC/AVIF reader (with libheif upgraded to v1.21.2), and layered TIFF and Adobe Photoshop PSD files are now supported. Other highlights include NOT & AND operators in the label filter, a drag-and-drop file upload zone, zstd compression for faster page loads, hardened WebDAV interoperability, and a new Ubuntu 26.04 LTS base image.

A big thank you to everyone who contributed and helped with testing! We hope you enjoy this release. 🌈💎✨

What's new?

Viewer: Sidebar shows editable metadata, albums, and labels by @omerdduran
Viewer: Captions can be hidden using the menu or a keyboard shortcut
Faces: Viewer sidebar allows to manually tag faces on pictures by @omerdduran
Faces: Dropped legacy Pigo detector in favor of ONNX-based detection
UX: Added a drag-and-drop zone to the file upload dialog
UX: Improved form input validation and numeric range caps
Login: Enhanced login page with "Stay signed in on this device" toggle
Login: OIDC provider initialization is retried after transient discovery failure
Login: Fixed OIDC redirect of unauthenticated users when opening direct links
Search: Improved label filter with support for NOT & AND operators
Labels: Added support for homophones and homophone-aware lookups by @keif888
Labels: Fixed duplicates when renaming a label and re-adding the previous name
Labels: Fixed case and punctuation variants creating duplicates in the edit dialog
Folders: Child folders with emoji paths no longer overwrite parent albums
Videos: Added support for Vulkan hardware transcoding using FFmpeg 8
Videos: HEVC remux output is tagged as hvc1 based on MP4 chunk scan
Images: Added support for layered TIFF and Adobe Photoshop PSD images
Images: Added native HEIC/AVIF reader and upgraded libheif to v1.21.2
Images: Replaced disintegration/imaging library with native format support
Server: Added zstd compression support for faster loading times
Server: Added pre-compressed frontend bundles for faster loading times
Server: Fixed nil-DB race in async count and cover update goroutines
WebDAV: Hardened timeouts, cancellation, and Depth-1 fallback diagnostics
WebDAV: Fixed settings dialog to allow credentials for existing services to be changed
WebDAV: Added fallback for servers that only allow PROPFIND with a Depth of 1
CLI: Improved vision run command updates sidecar YAML files
CLI: Added a faces config subcommand to list face-related options
CLI: Fixed flags placed after positional arguments being silently dropped
MCP: Added read-only support for the Model Context Protocol (MCP)
MCP: Added --disable-mcp flag to disable Model Context Protocol support
Config: Removed limitation for vision model names to be lowercased
Config: Improved worker auto-configuration based on number of CPU cores
Config: Consolidated SQL driver names and parsing in pkg/dsn by @keif888
Config: Default HTTP and HTTPS ports are stripped from base URLs
Logs: Information about long-running processes is logged by @keif888
Docker: Upgraded base image to Ubuntu 26.04 LTS (Resolute Raccoon)
Security: Search queries now use parameterized statements for all user input
Security: Upgraded Go from v1.26 to v1.26.3 and ONNX Runtime to v1.25.1

Redesigned Info Sidebar

Edit a metadata field by clicking on it. Some fields can be edited in place, while others open a dialog box.

Editing People & Faces

The viewer sidebar offers the same face management actions that are already available under Edit > People. In addition, it allows you to manually mark and assign faces that were missed by the automatic detection.

Drag-and-Drop File Upload

Drop any number of files or folders onto the upload area, or click it to open a file picker. Files selected for upload are listed with their file names, sizes, and a thumbnail, if possible.

Translations

Missing user interface translations have been generated with the help of DeepL and Google Translate. Native speakers are welcome to help us improve them where needed. Learn more ›

Installation Packages

The packages attached to this release are intended for experienced users and maintainers of third-party integrations only, as they require manual configuration and do not include tested system dependencies. Since we are unable to provide support for custom installations, we recommend using one of our Docker images to run PhotoPrism on a private server or NAS device. Learn more ›

Breaking Changes

Dropped legacy Pigo detector; ONNX-based face recognition is now mandatory.

Security Fixes

Search queries now use parameterized statements for all user input.
Go upgraded to v1.26.3; ONNX Runtime upgraded to v1.25.1.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track photoprism

Get notified when new releases ship.

About photoprism

AI-Powered Photos App for the Decentralized Web

All releases →