Release history
FileRise releases
FileRise – lightweight, self-hosted file manager & storage hub with granular ACLs, resumable uploads, encrypted folders, WebDAV & SSO. Fully Docker / Unraid compatible.
All releases
40 shown
v3.13.0
Maintenance
Minor fixes and improvements.
Full changelog
Changes 05/07/2026 (v3.13.0)
release(v3.13.0): DOMPurify and phpseclib dependency updates
Commit message
release(v3.13.0): DOMPurify and phpseclib dependency updates
- deps(frontend): upgrade bundled DOMPurify from 3.3.1 to 3.4.2
- deps(composer): upgrade phpseclib/phpseclib to 3.0.52
Changed
- Dependency security maintenance
- Updated bundled DOMPurify from
3.3.1to3.4.2and pointed the app shell at the new vendored path. - Updated
phpseclib/phpseclibto3.0.52in Composer dependencies and the locked dependency set.
- Updated bundled DOMPurify from
v3.13.0
Full Changelog
SHA-256 (zip)
d10522271eeadb3556329ab87b292faf5b143b7035dea78c1a0d63f4e3ad977e FileRise-v3.13.0.zip
v3.12.0
Security relevant
⚠ Upgrade required
- Users needing to replace their authenticator must disable TOTP and enable it again to generate a fresh enrollment.
Security fixes
- TOTP setup flow hardening: QR generation now requires a fully authenticated profile session and disallows reusing existing TOTP enrollment data, closing an abuse vector.
Full changelog
Changes 04/29/2026 (v3.12.0)
release(v3.12.0): TOTP setup flow hardening
Commit message
release(v3.12.0): TOTP setup flow hardening
- auth(totp): tighten setup QR access to fully authenticated profile sessions
- auth(totp): avoid reusing existing TOTP enrollment data during setup
Fixed
- TOTP setup flow hardening
- Tightened TOTP setup so enrollment QR generation is only available from a fully authenticated profile session.
- Accounts that already have TOTP configured are no longer offered a setup QR for the existing enrollment.
- Existing TOTP sign-in, recovery-code, disable, and first-time setup flows remain supported.
Changed
- Authenticator re-enrollment behavior
- Users who need to enroll a replacement authenticator should disable TOTP and enable it again to generate a fresh enrollment.
v3.12.0
Full Changelog
SHA-256 (zip)
40e8c5c1c30f6196c0dabe69437377ddb9ca6a7fba4440de4e63e6da152673a2 FileRise-v3.12.0.zip
v3.11.2
Security relevant
Security fixes
- Variable-time HMAC comparison vulnerability in SSH2::get_binary_packet() (phpseclib/phpseclib 3.0.51)
Full changelog
Changes 04/16/2026 (v3.11.2)
release(v3.11.2): phpseclib security dependency update
Commit message
release(v3.11.2): phpseclib security dependency update
- deps(composer): upgrade phpseclib/phpseclib to 3.0.51 to pick up the latest upstream security fix
Changed
- Dependency security maintenance
- Updated
phpseclib/phpseclibto3.0.51in Composer dependencies to pick up the current upstream security fix in the locked dependency set. - This release addresses the upstream advisory covering variable-time HMAC comparison in
SSH2::get_binary_packet().
- Updated
v3.11.2
Full Changelog
SHA-256 (zip)
ab30b6a719d042ba638332d136870449a2f94d9355b85b00e939cb55989909ff FileRise-v3.11.2.zip
v3.11.1
Security relevant
Security fixes
- Deleted-account session invalidation
- Remember-me token revocation
v3.11.0
Security relevant
Security fixes
- Snippet ownership enforcement for own-only folders
- phpseclib security patch 3.0.50
v3.10.0
Security relevant
Security fixes
- Resumable temp-folder cleanup authorization
- ONLYOFFICE callback binding to authorized actor
v3.9.4
Maintenance
Clarified persistent-token key compatibility story for existing installs, ensuring legacy fallback behavior is preserved while post-rotation consistency is maintained.
v3.9.3
Bug fix
Fixed worker environment to prevent legacy persistent-token key fallback from causing transient 500 errors after in-app key rotation.
v3.9.2
Bug fix
Fixed transient Admin Panel failures after key transitions by retrying adminConfig.json decryption once before surfacing errors.
v3.9.1
Bug fix
Fixed bootstrap white-page during persistent-token key rotation by safely falling back on failed adminConfig decryption, and improved startup script shell compliance.
v3.9.0
New feature
Security fixes
- Instance-unique key defaults for Docker installs
Notable features
- Admin rotation workflow
- Auto-generated Docker keys
- Remember-me session expiration
v3.8.0
Security relevant
Security fixes
- Share-link admin authentication
- WebDAV folder-name validation
- .htaccess/.user.ini blocking
Notable features
- Centralized safe-upload policy
- Configurable strict/code-friendly modes
v3.7.0
New feature
Notable features
- AI chat workspace
- PDF previews
- AI automation workflows
v3.6.0
New feature
Notable features
- Gateway Shares v2
- Automation APIs
- MCP core seam
v3.5.2
Bug fix
Relaxed username validation to allow dots and @ symbols while blocking . and .. edge cases, fixed PHP namespace resolution for stdClass returns under FileRise\Domain namespace.
v3.5.1
New feature
Notable features
- Authenticated file deep links
- File-request mode
v3.5.0
New feature
Notable features
- Async transfer jobs
- Transfer Center
- Service layer
v3.4.1
Maintenance
Applied PSR-12 style cleanup replacing inline control structures with block form in WebDavAdapter and SourcesConfig without behavior changes.
v3.4.0
New feature
Notable features
- Core Sources support
- Gateway Shares API
- Pre-theme bootstrap
v3.3.3
Bug fix
Fixed OnlyOffice sourceId validation to accept sourceId=local on non-Pro installs, improved Pro bundle remote download reliability with browser User-Agent headers and HTML response detection, and provided clearer installation guidance.
v3.3.2
Maintenance
Migrated backend to PSR-4 namespace (FileRise\) with Composer autoloading, reorganized API endpoints by scope (admin/profile/public) with legacy shims, updated OpenAPI generation, and fixed PHP 8.2+ nullable type deprecation.
v3.3.1
Bug fix
Fixed non-Pro move/copy operations failing due to stray sourceId validation, updated security policy documentation with version support clarity, and bumped manual-sync helper version.
v3.3.0
Security relevant
Breaking changes
- Direct /uploads/* access now blocked
Security fixes
- Tag color sanitization
- Direct uploads access restriction
v3.2.4
New feature
Notable features
- Configurable group claim
- Extra scopes support
v3.2.3
New feature
Notable features
- Upload preflight endpoint
- Resumable cleanup controls
v3.2.2
Maintenance
Updated OpenAPI specification to reflect current shipped endpoints including archive downloads as queued jobs, thumbnail endpoint, shared folder APIs, and file share view options.
v3.2.1
New feature
Notable features
- Modern share UI
- Portal browsing
- Pro branding upgrades
v3.1.7
Bug fix
Notable features
- Persistent file selections
- Pro bundle install progress
v3.1.6
New feature
Notable features
- OneDrive and Dropbox adapters
- Group ACL per source
- Source-aware file list
v3.1.4
Bug fix
Restored resumable upload resume checks to allow interrupted uploads to continue where they left off, and clarified Pro license renewal wording.
v3.1.1
New feature
Notable features
- OIDC env variable overrides (FR_OIDC_AUTO_CREATE, GROUP_CLAIM, ADMIN_GROUP, PRO_GROUP_PREFIX)
- Configurable resumable chunk size (0.5-100 MB)
- Admin settings search
v3.1.0
New feature
Notable features
- New locales: Polish, Russian, Japanese, Simplified Chinese
- Admin default language setting
- FFmpeg binary path configuration
v3.0.2
New feature
Notable features
- Video thumbnail API endpoint
- Server-side ffmpeg thumbnail generation
- Docker image with ffmpeg
v3.0.1
New feature
Breaking changes
- Archive UI terminology changed from ZIP to Archive
Notable features
- 7z archive creation and extraction support
- RAR extraction via unar/7z fallback
- Archive format selector (ZIP/7z)
v3.0.0
New feature
Notable features
- Storage adapter interface
- Source-aware core architecture
- Cross-source copy and move operations