Release history
BookStack releases
A platform to create documentation/wiki content built with PHP & Laravel
All releases
15 shown
v26.03.4
Security relevant
Security fixes
- Improved attachment-related permission checks
- URL validation for webhooks to prevent escaping workarounds
Full changelog
Security Release
This is a security release to improve attachment related permission checks, and URL validation for webhooks.
Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.
Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.
Full List of Changes
- Updated PHP package versions.
- Updated attachment actions to align page access check.
- Updated URL validation in webhooks to help prevent escaping workarounds.
- Fixed issue where exact search term negation would lead to no results. (#6121)
v26.03.3
Maintenance
The release refreshes project translations from Crowdin and upgrades required PHP library versions, enhancing language support and ensuring compatibility with current PHP runtimes.
v26.03.2
Security relevant
Security fixes
- Registration form could be manipulated to gain access to additional roles
v26.03.1
Security relevant
Security fixes
- Hidden page content visible during markdown exports due to permission bypass
v26.03
New feature
Notable features
- New theme module system for better organization
- Logical theme events for page content render/pre-save
- OIDC authentication URL customization
v25.12.9
Security relevant
Security fixes
- Style code in revision views could manipulate page display, enabling phishing/tracking attacks
v25.12.8
Bug fix
Fixed content filtering to preserve link target attributes for proper 'New Window' link behavior and restored user references in comments while updating PHP dependencies.
v25.12.7
Bug fix
Fixed editor loading error that occurred when opening pages with blank content created by different users, resolving regression from content filtering changes in v25.12.4.
v25.12.6
Bug fix
Fixed drawings becoming non-editable due to overly aggressive content filtering from v25.12.4. Updated filter to allow required drawio diagram attributes.
v25.12.5
Bug fix
Fixed folder permission issues causing access errors introduced by v25.12.4 filter changes. Updated filter caching to avoid filesystem permission problems.
v25.12.4
Security relevant
Breaking changes
- ALLOW_CONTENT_SCRIPTS environment option deprecated; use APP_CONTENT_FILTERING instead
Security fixes
- Style code in page content could manipulate pages beyond expected area, enabling phishing/tracking attacks
Notable features
- New APP_CONTENT_FILTERING option for granular control
v25.12.3
Security relevant
Breaking changes
- Most form elements removed from page content on render
Security fixes
- Form elements in page content could be exploited to trick privileged users into unauthorized API requests
v25.12.2
Maintenance
Updated translations with latest community contributions and refreshed PHP package versions for maintenance and compatibility.