zipline

v4.6.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 23d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

docker file-server file-sharing file-upload file-uploader gallery

+7 more

mantine reactjs screenshot sharex sharex-server sharex-uploader zipline

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 13d

This release fixes TOTP tolerance and auto‑submits 2FA codes after six digits.

Why it matters: Patch to v4.6.0 immediately; the fix resolves ±30‑second TOTP acceptance and automatic 2FA entry, eliminating login friction for affected users.

Summary

AI summary

TOTP codes now accept ±30‑second tolerance and 2FA codes auto‑submit after six digits.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	added "access token" for password protected URLs and files added "access token" for password protected URLs and files Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added server side pagination for public folders added server side pagination for public folders Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added file navigation buttons using arrows or arrow-keys added file navigation buttons using arrows or arrow-keys Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added new full screen (viewport) file viewer, now default but configurable added new full screen (viewport) file viewer, now default but configurable Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added unix socket support by setting CORE_HOSTNAME to a socket path and CORE_PORT ignored added unix socket support by setting CORE_HOSTNAME to a socket path and CORE_PORT ignored Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added PKCE for OAuth with tested clients: authentik, keycloak, authelia, kanidm added PKCE for OAuth with tested clients: authentik, keycloak, authelia, kanidm Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	added more notifications for errors thrown on uploads added more notifications for errors thrown on uploads Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	fixed text files not being visible on view-route fixed text files not being visible on view-route Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed register user link/button not showing up on login page fixed register user link/button not showing up on login page Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed old cached views not being deleted fixed old cached views not being deleted Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed error handling for api upload fixed error handling for api upload Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed various markdown and file rendering issues fixed various markdown and file rendering issues Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed filenames with multiple ext getting truncated fixed filenames with multiple ext getting truncated Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed crash loops when having invalid passkey settings fixed crash loops when having invalid passkey settings Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed session serialization errors fixed session serialization errors Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed OIDC login issues on first-login vs subsequent logins fixed OIDC login issues on first-login vs subsequent logins Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed not returning a HTTP 404 on the not found pages fixed not returning a HTTP 404 on the not found pages Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed thumbnail issues with s3, better error handling fixed thumbnail issues with s3, better error handling Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed TOTP codes not accepting previous or next codes (±30 second tolerance) fixed TOTP codes not accepting previous or next codes (±30 second tolerance) Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	fixed 2fa codes not being validated on login with enter; auto submit after 6 numbers fixed 2fa codes not being validated on login with enter; auto submit after 6 numbers Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

What's changed

fixed text files not being visible on view-route #1040
fixed register user link/button not showing up on login page
fixed old cached views not being deleted
fixed error handling for api upload
fixed various markdown and file rendering issues
fixed filenames with multiple ext getting truncated #384
fixed crash loops when having invalid passkey settings #1047
fixed session serialization errors
fixed OIDC login issues on first-login vs subsequent logins #1062
fixed not returning a HTTP 404 on the not found pages #1061, #1063
fixed thumbnail issues with s3, better error handling: #1069, #1072
fixed TOTP codes not accepting the previous or next codes (±30 second tolerance) #1081
fixed 2fa codes not being validated on login with enter #1073
- they also auto submit when 6 numbers have been entered
added "access token"s for password protected URLs and files:
- Go to a passwd protected file > it asks for a password > a 15 minute access token is created > it's appended to the URL
- It won't work after 15 minutes.
- This fixes issues with cookies being cached or the entire page being cached by cloudflare and such
added server side pagination for public folders #1052
added file navigation buttons #1046
- Pressing arrows or arrow-keys on your keyboard will go to the previous and next file
added NEW full screen (viewport) file viewer
- This is now the default viewer, but can be changed back to the old one if you want:
- Go to your user settings > Dashboard Settings
- Select "Default (modal)"
- Feedback is welcome, if you have ideas please make an issue instead of a discussion for stuff that is related to the new file viewer
added more notifications for errors thrown on uploads
added unix socket support: set CORE_HOSTNAME to the path of a socket, /tmp/zipline.sock
- you need to set CORE_PORT as well, but this is ignored
added PKCE for oauth
- Tested clients: authentik, keycloak, authelia, kanidm
- Open a PR if you encounter issues with PKCE

Pull's merged

fix: return 404 status on not-found SPA fallback (#1061) by @tomasz-kolodziej-esky in https://github.com/diced/zipline/pull/1063

New Contributors

@tomasz-kolodziej-esky made their first contribution in https://github.com/diced/zipline/pull/1063

Full Changelog: https://github.com/diced/zipline/compare/v4.5.3...v4.6.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track zipline

Get notified when new releases ship.

About zipline

A ShareX/file upload server that is easy to use, packed with features, and with an easy setup!

All releases →