⚠️ Security fixes

• Add missing access checks when managing event series (CVE-2026-28352, thanks @lighthousekeeper1212)

🎉 Improvements

• Show picture field validation status in the registration form (#7337, thanks @jbtwist, @unconventionaldotdev)
• Add a setting CHECK_ACTION_PERMISSIONS to hide event creation/management buttons for guests and users who do not have access to them (#7332, thanks @jbtwist, @unconventionaldotdev)
• Add option to filter room booking calendar to show only unused rooms (#7350)

🐛 Bugfixes

• Show event role dropdown when editing contribution/session ACLs (#7339)
• Fix error when loading category search results with extra query string params from external search plugins (#7345)
• Require management access to all events in a series to manage it (#7348)
• Fix deleting an event series that contains deleted events (#7348)
• Fix email validation error when entering speakers manually in an invited abstract while logged in (#7340)

♿ Accessibility

• Screen readers now announce the filtering state indicator descriptive text instead of just the short numeric label (#7335, thanks @foxbunny)
• Screen reader users can now identify the search field on the contribution list page (#7343, thanks @foxbunny)
• The contribution list is now announced as a list by screen readers, conveying the number of items (#7346, thanks @foxbunny)
• Contribution descriptions are no longer announced as links by screen readers (#7349, thanks @foxbunny)
• Contribution list description text, track badges, and type badges now meet WCAG AA color contrast requirements (#7351, thanks @foxbunny)
• Dialogs now announce their title to screen readers and return focus to the trigger element when closed (#7354, thanks @foxbunny)

🔧 Internal Changes

• Require a modern Sentry version (at least v20.6.0) when using a self-hosted Sentry installation for error reporting (#7333)

⚠️ Security fixes

• Fix potential SSRF issues by disallowing outgoing requests to private/internal/local IP addresses when the URL is user-provided (CVE-2026-25738)

• Fix an open redirect which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site
• Fix an XSS vulnerability related to uploaded materials (CVE-2026-25739)

🎉 Improvements

• Log changes to event reminders in the event log (#7242)
• Allow sending account creation notifications to specific email addresses (#7166, #7233, thanks @duartegalvao)
• Support markdown in survey introduction text (#7260)
• Add Content-Security-Policy support (opt-in via the CSP_ENABLED setting) and send a strict CSP for material downloads (#5486, #7257, #7303, #7308)
• Allow admins to disable Gravatar/Identicon profile pictures via the DISABLE_GRAVATAR config option (#7210, #7251, thanks @duartegalvao, @unconventionaldotdev)
• Add a UI for managing predefined affiliations (#7183, #7278, thanks @duartegalvao, @unconventionaldotdev)
• Add support for configurable file types in Paper Peer Reviewing (#7162, #7156)
• Use the event's default language (or system default if not set) when creating abstract notifications instead of the user's current language (#7294)
• Allow cloning registration forms within an event (#3229, #6822, thanks @adam-parker1, @Emilijus-M)
• Allow removing countries and providing custom translated names for countries via config (#7292, #7299, thanks @jbtwist)
• Add link from log entry details to the related object's page where applicable (#7269, thanks @vtran99)

🐛 Bugfixes

• Fix error when adding a user to a material ACL in a subcontribution (#7209)
• Fix timezone selector behaving incorrectly when choosing a custom timezone (#7214)
• Fix error when using shibboleth for authentication (#7213, #7215)
• Fix error when sending scheduled reminders using an event time placeholder (#7238)
• Fix rendering static text/images in poster templates (#7239)
• Do not revert to defaults when disabling all optional event cloners (#6833, #7245)
• Fix changing tracks for invited abstracts (#7061, #7240)
• Disallow local account passwords longer than 72 characters instead of truncating them (#7254)
• Fix recurrence information not being correctly included in room booking ical export (#7255)
• Fix weird indentation on list items in markdown field preview (#7260)
• Fix unique title validation for disabled regform fields (#7277)
• Fix DatePicker min/max limits being affected by client timezone (#7273, #7280, thanks @jbtwist)
• Fix validation error when choosing exactly the maximum date in a regform date field (#7288)
• Fix submit buttons not being enabled when modifying a markdown field using only the button bar or a keyboard shortcut (#7310)
• Enforce DNS checks on emails only when inviting a new user, and not when importing from CSV (#7291, thanks @duartegalvao, @unconventionaldotdev)
• Hide "This field is required" error while uploading files on single-file upload fields (#7325, thanks @duartegalvao, @unconventionaldotdev)

♿ Accessibility

• Add accessible labels and tooltips to icon-only toolbar buttons in the contribution list (#7316, thanks @foxbunny)
• Screen reader users can now discover the page footer and conference side menu as a landmark region (#7312, thanks @foxbunny)

🔧 Internal Changes

• Require at least Postgres 14 during new installations. This check can be forced on older Postgres versions (even though they are end-of-life), but we make no guarantees that nothing is broken (#7232)
• Disallow server-side requests to private, loopback, reserved and link-local IP ranges in places where the URL is user-provided (Mastodon URL check, LaTeX image retrieval, static site generation) (#7244)
• Log requests to the legacy export API to indico.log (#7290)
• Disallow concurrent generation of category statistics (#7307)

⚠️ Security fixes

• Fix an open redirect which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site
• Fix an XSS vulnerability with HTML materials when stored on S3 with certain configuration settings

Note: Anyone running Indico using the "standard" setup from our installation guide or without storing files on S3 (using the storage_s3 plugin) is completely unaffected by this problem.

🎏 Internationalization

• New translation: Finnish

🎉 Improvements

• Disallow comments/judgments on outdated editables (#7067)
• Log original email content (with placeholders) when emailing registrants or sending invitations (#7093)
• Disallow sending registration emails or invitations containing hardcoded (and usually incorrect) token links (#7093)
• Add support for showing registration pictures in the check-in app (#7099)
• Support post-event reminders relative to the event end time (#7094)
• Log local group membership changes of users (#7122, thanks @tomako)
• Warn when downloading files from an editable not assigned to you (#7131, #7132)
• Add URL args to set the default view and date of the category calendar view (#7144)
• Allow changing review tags in the editing timeline (#7133, #7134)
• Add an option to request changes in bulk on the editable list (#7062, #7100)
• Clone persons settings when cloning an event (#7158)
• Clone editable-type-specific settings when cloning an event (#7158)
• Allow admins to add a secondary email address to a user without sending a validation email (#6872, #7116, thanks @vasiliyk)
• Add new SMTP_USE_SSL config option to use always-on TLS (SMTPS) instead of STARTTLS when sending emails (#4347, #7177, thanks @bpedersen2)
• Add review count & score standard deviation columns to the abstract list (#7173)
• Add min/max date settings to registration form date fields (#6842, thanks @SegiNyn)
• Allow adding a preface when re-sending emails from the event log (#7172, thanks @duartegalvao, @unconventionaldotdev)
• Disallow adding multiple fields with the same title in a single registration form section (#7181, thanks @tomako)
• Add a customizable announcement text on top of the registration form list in conferences with multiple registration forms (#6916, thanks @openprojects)
• Add a button to view related logs to the management view of a registration (#7186, thanks @vtran99)
• Log attachment & menu entry ACL changes to user log (#7136, thanks @tomako)
• Add placeholders to custom event reminders (#7115, thanks @tomako)
• Add option to require international phone number format in registration form (#7199, thanks @openprojects)
• Refactor the registration invitation dialogs using React and add email previews (#7168, thanks @duartegalvao, @unconventionaldotdev)
• Add setting EMAIL_LOG_STORAGE to permanently store email attachments and allow re-sending emails with attachments from the event log (#7182, #7203, thanks @moliholy, @unconventionaldotdev)
• Show confirmation dialog when sending invitations (#7204, thanks @duartegalvao, @unconventionaldotdev)
• Show a warning when bulk registration approval/rejection skips registrations that are not pending (#7197, #7205, thanks @duartegalvao, @unconventionaldotdev)
• Add a JSON endpoint that returns the event's program/tracks (#7207)

🐛 Bugfixes

• Do not allow sending registration invitation reminders without the invitation link placeholder (#7093)
• Correctly log the user sending a registration invitation reminder (#7093)
• Fix error in weekday recurrence picker when using the Turkish locale (#7113)
• Do not allow selecting fields in disabled sections as a condition (#7114)
• Fix timetable PDF cover page layout to allow proper centering of content (#7148, #7149)
• Fix the logic to force downloads not being applied for materials hosted on some storage backend setups (#7164)
• Preserve configured registration date formats in Excel exports (#7157, thanks @duartegalvao, @unconventionaldotdev)
• Fix inconsistent styling of nested lists in minutes and editor output (#7063, #7105, thanks @AtharvMixraw)
• Validate the arrival/departure date in the registration form accommodation field (#7171, #7174)

♿ Accessibility

• Fix category list link color contrast (#7070, thanks @foxbunny)
• Fix color contrast and semantics of the protection icon and event count in category link (#7071, thanks @foxbunny)
• Fix color contrast and screen reader support of the icons in the event list (#7073, thanks @foxbunny)
• Fix color contrast and screen reader support of the hidden block buttons in the event list (#7079, thanks @foxbunny)
• Fix contrast of the category info text (#7078, thanks @foxbunny)
• Fix contrast and screen reader support in breadcrumbs (#7088, thanks @foxbunny)
• Fix the semantics for the empty materials text (#7096, thanks @foxbunny)
• Fix announcements accessibility (#7098, thanks @foxbuny)
• Fix conference description color contrast (#7118, thanks @foxbunny)
• Improve infogrid accessibility (#7119, thanks @foxbunny)
• Improve dropdown accessibility in category list toolbar (#7069, thanks @foxbunny)
• Fix footer color contrast (#7095, thanks @foxbunny)

🔧 Internal Changes

• Allow plugins to store custom annotations/metadata on attachments, and indicate that it has been converted from another attachment (#7108)
• Refactor conference page theme CSS to allow easier theming using CSS variables (#7110, thanks @foxbunny)
• Add clear button to optional date picker fields (#7151, thanks @foxbunny)

⚠️ Security fixes

• Fix a legacy API giving access to profile details of other users due to a broken authorization check (CVE-2025-59034, thanks @inkz)
• Fix an XSS vulnerability in the LaTeX math rendering code applied to contribution descriptions (CVE-2025-59035)

🎉 Improvements

• Add a CAPTCHA and rate limiting to the material package endpoint, and an event setting to restrict who can generate one (defaults to managers only) (#6996)
• Add support for custom event reminders with freely chosen subject and body, and allow rich-text for the custom message in standard reminders (#6989, thanks @tomako, @unconventionaldotdev)
• Allow specifying a maximum session lifetime via SESSION_MAX_LIFETIME beyond which it cannot be refreshed by activity (#7030)
• Make displaying corresponding author email addresses in the Book of Abstracts opt-in (#7002, thanks @adamjenkins)
• Allow selecting which invitees to remind on the invitations list (#6804, #6918, thanks @duartegalvao, @unconventionaldotdev)
• Add option in the invitation form to lock registrations to the specified email address (#6803, #6972, thanks @duartegalvao, @unconventionaldotdev)
• Add plugin support for scanning custom QR codes in the Check-in app (#6954, thanks @SegiNyn)
• Add new tags column to the Editable list (#6614, #6615)

🐛 Bugfixes

• Fix missing spacing between toolbar button groups (#6981)
• Fix error with certain registration form field types if the badge text overflow behavior was set to "resize" (#6993)
• Fix not being able to update a registration if an accommocation field was added after registering and the user already paid for the registration (#7000)
• Fix registration form field type selector not being fully visible on smaller screen widths (#7012, #7013)
• Fix user search not working for admins in room booking module with no rooms defined (#7016, #7017, thanks @behackl)
• Fix author contribution list not showing any other contributions (#7025, #7049, thanks @diksharai9)
• Fix some LaTeX strings being rendered incorrectly and/or breaking the timetable PDF generation (#7068)

♿ Accessibility

• Use proper heading hierarchy (H3 instead of H4) for date headings on category event list pages (#7038, thanks @foxbunny)
• Add accessible labels to extra slots dropdown fields in registration forms (#7039, thanks @foxbunny)
• Use proper semantic heading elements for registration form section titles (#7040, thanks @foxbunny)
• Improve screen reader + keyboard support in the registration form picture field (#7064, #7065, thanks @foxbunny)

🔧 Internal Changes

• Remove broken support for custom multipass providers setting a maximum session lifetime; use SESSION_MAX_LIFETIME instead (#7030)
• Use Biome to format JS/JSX, TS/TSX, JSON and CSS (#7042)
• Add the env var INDICO_TEST_USE_DOCKER, which allows for tests to be run on a PostgreSQL server running in a container

⚠️ Security fixes

• Prevent dumping basic user details (name, affiliation and email) in bulk using the user id (CVE-2025-53640)

🎉 Improvements

• Add a new ALLOWED_LANGUAGES setting to indico.conf to restrict which languages can be used (#6818, thanks @openprojects)
• Set reasonable maximum lengths on signup form fields (#6724)
• Preserve the selected day when switching between room booking calendar view modes (#6817)
• Notify room moderators about new pending bookings in their rooms (#6823)
• Show moderated rooms as "mine" and enable "bookings in my rooms" etc. for room moderators (#6823)
• Use the new date picker in more places (#6662, #6832)
• Log conference menu changes (#6851, thanks @openprojects)
• Add duration and date/time placeholders when sending emails for contributions (#6860)
• Use STATIC_SITE_STORAGE for the temporary file from a material package (#6898)
• Implement conditional fields in registration forms (#1227, #6678, thanks @moliholy, @OmeGak, @unconventionaldotdev)
• Log user-specific ACL changes to user log (#6841, thanks @tomako)
• Include language settings when cloning an event (#6871, #6929)
• Log user merges to user log (#6882, #6920)
• Allow re-sending emails from their log entries (#6805, #6909, thanks @duartegalvao, @unconventionaldotdev)
• Allow adding/removing favorite users from search results (#6950)
• Make text overflow behavior in badge designer configurable (#6944, thanks @SegiNyn)
• Clone registration tags when cloning registration forms and preserve registration tags when cloning registrations (#6820, #6964)
• Allow restricting reminder recipients by registration form and tags (#6877, thanks @tomako, @unconventionaldotdev)
• Searching existing Indico users can be restricted to managers by setting ALLOW_PUBLIC_USER_SEARCH to False. This also limits the verbosity of email status checks while registering for events and disallows registering on behalf of another Indico user (#6960)
• Allow linking existing booking to an event even if there's no exact date/time overlap, and do not show a large number of unrelated bookings (#6568, #6811, #6846, thanks @moliholy, @unconventionaldotdev)
• Add a log for global admin actions, similar to that in events, categories and users (#6868, thanks @tomako)

🐛 Bugfixes

• Fix inconsistent page numbering in PDF timetable (#6824, #6827)
• Do not log logins rejected by a plugin as errors (#6834, thanks @OmeGak)
• Do not trigger notifications for withdrawn service requests when deleting past events (#6700, #6754, thanks @bhngupta)
• Fix date picker on category calendar view (#6849, #6850)
• Fix scheduling existing contributions not working in rare cirucmstances (#6853)
• Convert author/speaker email addresses to lowercase during input and use the lowercase version for deduplication (#6855)
• Fix error when removing the title of an event person (#6859)
• Fix participant visibility being set to "nobody" when a registration was modifified (#6863)
• Fix error when editing a room while no custom attributes have been defined (#6840)
• Allow the browser to perform spellchecking in the HTML/WYSIWYG minutes editor (#6890)
• Fix downdown/combobox issues on iOS Safari devices (#6830, #6839, thanks @foxbunny)
• Fix font rendering issue in event titles with some cyrillic characters (#6673, #6881, thanks @Fedor204)
• Include registration tags in event export (#6896)
• Fix some messages not being translated due to a missing context (#6910)
• Fix datetime handling in excel exports (#6806, #6887, thanks @duartegalvao, @unconventionaldotdev)
• Fix date range picker not working in some languages (e.g. Japanese) (#6921, #6922)
• Fix error when searching in user logs (#6933, #6936)
• Fix room booking prompt during event creation not showing up (#6941)
• Fix AM/PM indicator based on event language in PDF timetable (#6888)

🔧 Internal Changes

• Expose cloning details such as object mappings in the event.cloned signal (#6858)
• Expose cloning details in the contribution.created and subcontribution.created signals (#6858)
• Add the id and color of registration tags on the Checkin API endpoint for registation data (#6874, thanks @duartegalvao)
• Allow disabling arbitrary dates in date picker / calendar controls (#6905, thanks @foxbunny)
• Support custom data rendering logic in custom registration form fields (#6967)
• Support custom columns and filters in mangement registrant list (#6968)

⚠️ Security fixes

• Update the Jinja2 library due to a sandbox escape vulnerability (CVE-2025-27516).

Note: Since document templates can only be managed by Indico admins (unless granted to specific other trusted users as well), the impact of this vulnerability is considered low to medium, as it would require a malicious admin to abuse this e.g. to to read indico.conf data, which is otherwise only accessible to people with direct server access.

🎉 Improvements

• Add a new "Accepted by Submitter" state for editables when a submitter approved the changes proposed by the editor (#6185, #6186)
• Highlight editables in the editable list that have been updated since the last time they were viewed (#6500)
• Refresh the looks of the PDF timetable (#6554, #6558)
• Redact session cookie value in error emails (#6666)
• Allow creating a new local account during password reset if the user does not have one yet (#6688)
• Set session cookies with SameSite=Lax so they are not sent when Indico is embedded in a third-party iframe (#6690)
• Make the event export/import util much more flexible to support exporting whole category subtrees, add better support for dealing with files, and add various things that were not correctly exported before (#6446)
• Add a setting to limit the information room booking users can see for bookings not linked to them or their rooms (#6704)
• Add shortcuts to the past and closest events in a category (#6710)
• Improve the appearance of the date pickers (#6719, #6720, thanks @foxbunny)
• Add a new setting (ALLOW_ADMIN_USER_DELETION) to let administrators permanently delete Indico users from the user management UI (#6652, thanks @SegiNyn)
• Support ==text== to highlight text in markdown (#6731, #6732, #6767)
• Add an event setting to allow enforcing search before entering a person manually to a persons list in abstracts and contributions (#6689)
• Allow users to login using their email address (#6522, thanks @SegiNyn)
• Do not "inline" the full participant list in conference events using a meeting-style timetable and link to the conference participant list instead (#6753)
• Add new setting LOCAL_USERNAMES to disable usernames for logging in and only use the email address (#6751, #6810)
• Tell search engines to not index events marked as "invisible" (#6762, thanks @openprojects)
• Make the minimum length of local account passwords configurable, and default to 15 instead of 8 for new installations (#6629, #6740, thanks @amCap1712)
• Include submitter email in abstract PDF export (#3631, #6748, thanks @amCap1712)
• Remove anonymized users from local groups (#6738, thanks @SegiNyn)
• Add ACLs for room booking locations which can grant privileges on the location itself and/or all its rooms (#6566, thanks @SegiNyn)
• Support alternative names in predefined affiliations and make its search more powerful (#6758)
• Add setting to disallow entering custom affiliations when predefined affiliations are used (#6809)
• Log changes to event payment methods (#6739)
• Add button to select all rooms for exporting in the room list (#6773, thanks @Michi03)
• Include abstract details in comment notification email subject (#6449, #6782, thanks @amCap1712)
• Use markdown editor field in survey questionnaire setup (#6783, thanks @amCap1712)
• Use markdown editor field for contribution description (#6723, #6749, thanks @amCap1712)
• Allow resetting registrations back to pending in bulk (#5954, #6784, thanks @amCap1712)
• Allow to configure a restrictive set of allowed contribution keywords (#6778, thanks @tomako, @unconventionaldotdev)
• Add a log for user actions, similar to that in events and categories (#6779, #6813, thanks @tomako)

🐛 Bugfixes

• Fix error when using the "Request approval" editing action on an editable that does not have publishable files (#6186)
• Do not fail if a user has an invalid timezone stored in the database (#6647)
• Ensure the event name is correctly encoded to prevent issues with special characters in the share event widget (#6649)
• Fix sending emails if site name contains an @ character (#6687)
• Do not show country field description twice in registration forms (#6708)
• Do not show "other" document templates from deleted events/categories (#6711)
• Fix price display of choice fields in registration form (#6728, #6729)
• Fix error when creating a new room and setting attributes or equipment during creation (#6730)
• Fix the usage of select list scrollbar causing it to close immediately (#6735, #6736, thanks @foxbunny)
• Trigger event creation notification emails when cloning events (#6744)
• Fix image uploading not working when editing an existing note without having permissions to manage materials on the event level (#6760)
• Do not redirect to the ToS acceptance page when impersonating a user (#6770)
• Fix display issues after reacting to a favorite category suggestion (#6771)
• Include event labels in dashboard ICS export (#5886, #6372, #6769, thanks @amCap1712)
• Do not show default values for purged registration fields (#5898, #6772, #6781, thanks @amCap1712)
• Do not create empty survey sections during event cloning (#6774)
• Fix inaccurate timezone in the dates of the timetable PDF (#6786)
• Fix error with accommodation fields that have the "no accommodation" option disabled (#6812)
• Reset token-based links for correct user when done by an admin (#6814)

♿ Accessibility

• Make field validation error messages more accessible in the registration form (#6324, thanks @foxbunny)
• Implement a new date range picker and use it in the Room Booking module (#6464, thanks @foxbunny)
• Make main section title in the base layout the default bypass blocks target (#6726, thanks @foxbunny)
• Improve places selection accessibility in SingleChoiceInput (#6763, thanks @foxbunny)
• Improve places selection accessibility in MultiChoiceInput (#6764, thanks @foxbunny)
• Improve BooleanInput accessibility (#6756, thanks @foxbunny)
• Improve keyboard navigation order within the category list page (#6776, thanks @foxbunny)

🔧 Internal Changes

• Remove the marshmallow-enum dependency (#6701, #6703, thanks @federez-tba)
• Add new signals during signup email validation and login which can make the process fail with a custom message (#6759, thanks @openprojects)

⚠️ Security fixes

• Fix an open redirect during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, after which the user would be redirected to an external page instead of staying on Indico (thanks @GauthierGitHub)

🎏 Internationalization

• New translation: Japanese

🎉 Improvements

• Allow specifying "prev" and "next" as the date param on the category overview page to show the previous or next period relative to the current date (#6537)
• Add caching and rate-limiting (configurable via LATEX_RATE_LIMIT, and only applied to unauthenticated users) for endpoints that trigger LaTeX PDF generation (#6526)
• Log changes to registration form settings in the event log (#6544, thanks @vtran99)
• Improve conference participant list, especially when participants from multiple registration forms are shown separately (#6440, #6489)
• Include information about attached files in JSON export of abstracts (#6556)
• Take session program codes into account when sorting parallel sessions with the same start time in meeting timetable (#6575)
• Enforce browser-side caching of event logos and custom stylesheets (#6555, #6559)
• Default to banner-style (full width) logos in newly created conference events (#6572, thanks @OmeGak)
• Add email placeholder for the picture associated with a registration (#6580, thanks @vtran99)
• Allow setting placeholders for text fields in receipt templates (#6587)
• Add a new receipt template for Certificates of Attendance (#6587)
• Show correct repetition details for bookings repeating every n weeks (#6592)
• Show context (event/contribution title etc.) in the title of the minutes editor (#6584, #6591)
• Streamline "get next editable" UI and only show editables that still unassigned (#6583)
• Add preview link for custom text snippets in registration notification emails (#6539, #6560, thanks @moliholy, @unconventionaldotdev)
• Stop spoofing email sender addresses when using the SMTP_ALLOWED_SENDERS and SMTP_SENDER_FALLBACK config settings. Instead, the From address will be rewritten to the fallback whenever the requested address is not an allowed sender (#6231, thanks @SegiNyn)
• Allow alternative CSV delimiters everywhere when importing content from CSV files (#6607, thanks @moliholy, @unconventionaldotdev)
• Improve readability of room booking room statistics card (#6616)
• Add option to use flat zip file structure when downloading registration attachments (#6536, #6608, thanks @moliholy, @unconventionaldotdev)

🐛 Bugfixes

• Make picture field more resilient when uploading and resizing pictures close to the max upload file size (#6530, thanks @SegiNyn)
• Fix the order of the event classifications in edit mode (#6531, #6534)
• Fix an issue where scheduling a contribution on a day with an empty timetable would schedule it on the first day of the event instead (#6540, #6541)
• Fix error in unmerged participant list when the picture field is enabled and participant list columns have not been customized for that registration form (#6535)
• Fix breakage of the registration form dropdown field (and anything else using a custom element that uses ElementInternals) in older versions of Safari (#6549, thanks @foxbunny)
• Fix linebreak display in markdown code blocks in survey section descriptions (#6553)
• Include attached pictures when downloading registration attachments (#6564)
• Only allow marking unpaid registrations as paid (#6330, #6578)
• Do not allow mixing notification rules for invited abstracts with other rules (#6563, #6567)
• Use locale-aware price formatting in registration form fields (#6586)
• Handle badge designer items exceeding the canvas boundaries more gracefully (#6603, thanks @SegiNyn)

♿ Accessibility

• Improve country input accessibility (#6551, thanks @foxbunny)
• Reimplement Checkbox to make it programmatically focusable (#6528, thanks @foxbunny)
• Implement a RadioButton component to replace the SUI radio button in order to improve keyboard support (#6621, thanks @foxbunny)
• Improve keyboard accessibility of the timetable sessions field in registration form (#6639, thanks @foxbunny)

🔧 Internal Changes

• Make positioning logic from TipBase generic and reusable (#6577, #6588, thanks @foxbunny)
• Add additional signals related to videoconferences and their event links (#6475)
• Videoconference plugins now need to implement a delete_room method (#6475)
• Support translator comments when extracting translatable strings (#6620)
• renderAsFieldset option in the registration field registry can now be a function that returns a boolean (#6621, thanks @foxbunny)
• Allow overriding global theme settings for custom meeting themes (#6622)

⚠️ Security fixes

• Fix an XSS vulnerability during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, so it can only target newly created (and thus unprivileged) Indico users. We consider this vulnerability to be of "medium" severity since the ability to abuse this is somewhat limited, but you should update as soon as possible nonetheless (GHSA-rrqf-w74j-24ff)

🎏 Internationalization

• New translation: Swedish

🎉 Improvements

• Allow cropping an existing picture in registration form picture fields (#6423, thanks @SegiNyn)
• Add task to delete old registration files when they become orphaned due to a new file being uploaded (#6434, thanks @SegiNyn)
• Allow searching for author names in editable lists (#6451)
• Add ability to filter editable lists by the parent session of the editable's contribution (#6453)
• Allow alternative CSV delimiters when importing registration invitations (#6458, thanks @moliholy, @unconventionaldotdev)
• A room's bookable hours can now be applied to specific weekdays, making it unbookable on any other weekdays (#6439)
• Add global settings for min/max registration form data retention periods (#6445, thanks @SegiNyn)
• Always open links in registration form field/section descriptions in a new tab (#6512)
• Preserve entered text when switching between commenting and judging in the editing module (#6503, #6502)
• Add quick setup button to configure default notifications in Call for Abstracts (#6454, thanks @jbtwist)

🐛 Bugfixes

• Fix display of empty session selection in registration summary (#6421, thanks @jbtwist)
• Include date when displaying session field data in registration summary (#6431, thanks @jbtwist)
• Fix the order of a day's session blocks in the registration form session field (#6428, thanks @jbtwist)
• Wrap overly long descriptions and filenames in registration form fields (#6436, thanks @SegiNyn)
• Fix validation error when clearing a date field in the registration form (#6470)
• Fix access error when a manager registers a user in a private registration form (#6486)
• Fix access error when a manager uploads files in a private registration form (#6487, thanks @vtran99)
• Improve color handling in badge designer (auto-add # for hex colors) (#6492)
• Do not count deleted rooms for equipment/attribute usage numbers (#6493, #6494)
• Allow deleting event persons which are linked to a deleted subcontribution (#6495)
• Fix validation error in registration form date fields when using Safari (#6474, #6501, thanks @foxbunny)
• Fix date picker month/year navigation not working in Safari (#6505, thanks @foxbunny)
• Enforce a minimum size on the registration form picture cropper to avoid sending an empty image after repeated cropping (#6498, thanks @jbtwist)
• Fix future events being always displayed after current events in categories while not logged in (#6509)

♿ Accessibility

• Improve registration form single choice input accessibility (#6310, thanks @foxbunny)

🔧 Internal Changes

• Indicate when a booking begins/ends in the booking calendar in day-based mode (when using a plugin to customize the room booking module) (#6414)
• Update the list of supported browsers so people using highly outdated browsers where certain features are likely broken get a warning about having to update their browser (#6442)
• Convert Room Booking splash image to WEBP (20x smaller file size) (#6468, #6465, thanks @bbb-user-de)
• Add support for TypeScript (and TSX) (#6456)
• Add <ind-combo-box> custom element (#6310, thanks @foxbunny)
• Add <ind-select> custom element (#6310, thanks @foxbunny)
• Indico and plugin wheels are now built using hatchling instead of setuptools, and package metadata is specified using pyproject.toml. Developers who want to build their own plugins need to switch from setup.py and/or setup.cfg to pyproject.toml as well (#6477)
• Prevent timetable entries with zero/negative durations (#6420)
• Warn when required indico.conf settings are missing or empty (#6504, thanks @OmeGak)

🎏 Internationalization

• New translation: Hungarian

🎉 Improvements

• Add dialog to contact event participants about a survey (#6069, #6144)
• Allow linking existing room booking occurrences to an event (#6243, thanks @moliholy, @unconventionaldotdev)
• Support including a picture (from a registration's picture field) in the conference participant list (#6228, thanks @vtran99)
• Add FAVICON_URL config option to set a custom URL for the favicon (#6323, thanks @SegiNyn)
• Allow filtering the contribution list in the management area by custom fields (#6213, #6214)
• Show "Go to timeline" button on the contribution page to everyone who can see the timeline of one of its editables instead of just submitters (#6344)
• Add a new "Timetable Sessions" registration form field type which allows selecting session blocks from the event (#6184, thanks @jbtwist)
• Link the event title to the event in registration emails (#6358)
• Add the option to make registration forms private so they can only be accessed using a secret link (#6321, thanks @vtran99)
• Add experimental support for creating Apple Wallet (Passbook / pkpass) tickets (opt-in via ENABLE_APPLE_WALLET indico.conf setting) (#6248, thanks @openprojects)
• Add a new event management permission that grants access only to the contributions module (#6348)
• Add bulk JSON export option in management contribution list (#6370)
• Make the default roles of the contribution person link list field more similar to the abstract person link list field when there is a linked abstract (#6342)
• Add option to hide person titles throughout the event (#38, #6104, thanks @vasantvohra)
• Preserve input when switching between judgment actions for an editable (#6375)
• Allow generating documents from the registration summary page (#6212, #6306, thanks @hitenvidhani)
• Modernize the event social share widget and add support for sharing to Mastodon (#6289)
• Enable the calendaring + social sharing widget in events by default (#6398)
• Ignore diacritics when searching in the registration form country field (#6403, thanks @tomako)
• Add preview option for managers to see the participant list as shown to registered participants or unregistered guests (#6052, thanks @vtran99)

🐛 Bugfixes

• Fix the dashboard iCal export returning old events instead of recent ones when the maximum number of events to include is reached (#6312)
• Fix an error in the Check-in app API wben retrieving details for a registration form that includes static labels (#6326)
• Fix action buttons being pushed outside the content area in the survey editor in case of very long survey option titles (#6325)
• Only allow accessing avatars for published registrations (#6347)
• Fix error when trying to import data from an unlisted event (#6350, #6351)
• Show results from the Get Next Editable search on top of the list (#6353)
• Attach registration pictures and display them inline when sending email notifications instead of just showing their filename (#6336, #6411, thanks @SegiNyn)
• Fix editable list filter storage being shared between different editable types and events (#6359)
• Fix UI breaking when performing bulk actions via the list of editables (#6369)
• Include registration documents in user data export (#6331, #6338)
• Fix error when viewing an abstract with reviews in deleted tracks (#6393)
• Do not include custom messages about the current registration status when sending notifications about new documents (#6413)
• Only normalize title slug in custom page URL after successful access check (#6416, #6417)

♿ Accessibility

• Improve registration form date picker accessibility (#6371, thanks @foxbunny)

🔧 Internal Changes

• Use unguessable URLs for user avatar pictures (#6346, thanks @vtran99)
• Add <ind-date-picker> custom element (#6371, #6406, thanks @foxbunny)
• Use native ESM for webpack config files (#6389)

🎉 Improvements

• Use more verbose page titles in management/admin areas (#6300)
• Prioritize exact matches when searching for users (#6254)
• Show document templates from non-parent categories and other events for cloning as long as the user has management access (#6232)
• Warn about conflicts from concurrent edits of minutes (#3410, #6193)
• Include up to two months (up from one week) of past events in dashboard iCal export (#6304)

🐛 Bugfixes

• Fix adding additional event keywords when some keywords have already been set (#6264, thanks @SegiNyn)
• Fix overlapping times in some room booking timelines when using a locale with a 12-hour time format (#6263)
• Fix error when printing badges referencing a linked regform picture field that contains no picture (#6276)
• Fix error when creating a reminder for exactly one week before the event (#6283)
• Fix error when unassigning the editor of an editable that has no editor (#6284)
• Fix error when judging an editable from the list of editables (#6284)
• Fix validation error when using a mailto: link in an email body (#6286)
• Clear the flags indicating that registrations or a registration form field have been purged when cloning an event (#6288)
• Use English locale when formatting dates for room booking log entries (#6295)
• Fix date validation in room booking failing in certain timezones

🔧 Internal Changes

• Allow plugins to fully replace the data in a ticket QR code with a custom string instead of just modifying/extending the JSON dict (#6266)
• Replace deprecated pkg_resources with importlib from standard library (#6272, #6273, thanks @maxnoe)