Skip to content

projectsend

vr2029 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 2mo File Storage & Sync
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

business-tools client-portal clients-oriented document-sharing file-management file-sharing
+8 more
file-upload free-software mysql php projectsend s3-storage self-hosted web

Summary

AI summary

Added TOTP two-factor authentication with QR code setup and authenticator app support. Implemented in-app changelog viewer. Fixed stored XSS via event handlers. Hardened session cookies with HttpOnly, Secure, and SameSite flags. Restricted auto-updates to official servers. Fixed CSRF on file uploads. Redesigned error pages. Added PHP version pre-checks.

Security Fixes

  • Stored XSS via event handlers
  • CSRF on file upload endpoint
  • Session cookie hardening
  • Auto-update server restriction
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track projectsend

Get notified when new releases ship.

Sign up free

About projectsend

ProjectSend is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs... and much more!

All releases →

Related context

Beta — feedback welcome: [email protected]