YOURLS

v1.10.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 11d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

link-shortener php short-url shorten-urls shortener url-shortener

+2 more

urlshortener yourls

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 11d

ReleasePort Layer 1 version 1.10.4 patches an XSS vulnerability in stat pages and adds date/time localization support.

Why it matters: The XSS fix protects user‑facing stat pages from malicious referrer payloads; the new localization feature enables accurate date and time display for international users.

Summary

AI summary

Updates YOURLS 1.10.4, New Contributors, and improved across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Prevents XSS in stat pages via referrers Prevents XSS in stat pages via referrers Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Adds localization support for date and time display Adds localization support for date and time display Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Adds filter for SQL queries Adds filter for SQL queries Source: llm_adapter@2026-05-23 Confidence: high	—
Performance	Medium	Improves shunt filters performance Improves shunt filters performance Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Fixes overlapping logo notice in admin panel Fixes overlapping logo notice in admin panel Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Fixes flagging password file as user auth from environment variables Fixes flagging password file as user auth from environment variables Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Improves debug functions and logic Improves debug functions and logic Source: llm_adapter@2026-05-23 Confidence: low	—
Refactor	Medium	Makes tests debugging easier Makes tests debugging easier Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

YOURLS 1.10.4

What's Changed

fixed: Prevent XSS in stat pages through referrers (#4107)
added: Localization support for date and time display (#4054)
improved: Improve shunt filters (#4058)
fixed: Notice overlapping logo in admin panel (#4069)
fixed: Flag password file as user auth from environment variables (#4066)
added: Filter SQL queries (#4064)
improved: Improve debug functions and logic (#4089)
improved: Make tests debugging easier (#4104)

Full Changelog: https://github.com/YOURLS/YOURLS/compare/1.10.3...1.10.4

New Contributors

@dineshingale made their first contribution in https://github.com/YOURLS/YOURLS/pull/4054
@og-khushalpatel made their first contribution in https://github.com/YOURLS/YOURLS/pull/4069

How to install or update

Download the source code below and upload to your server.
We recommend to back up your DB before any update.

More detailed instructions available on https://yourls.org/docs/

Shorten your links and make YOURLS bigger!

Does your company use YOURLS? Help the project, become a sponsor and get your logo on our README on GitHub with a link to your site. Become a sponsor.

Security Fixes

GHSA-5h77-88j3-r659 — Prevent XSS in stat pages through referrers

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track YOURLS

Get notified when new releases ship.

About YOURLS

The 𝘥𝘦 𝘧𝘢𝘤𝘵𝘰 standard, self hosted, powerful and customizable, URL shortener in PHP

All releases →