Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.1 has been released.

This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted.
These changes help prevent potential abuse to host disk space usage and/or service availability.

We recommended to update your instance if untrusted users have ZIP import permissions, or if untrusted users can perform searches.

Thanks to Jeong Woo Lee (@eclipse07077-ljw) and Gabriel Rodrigues (aka TEXUGO) for reporting these vulnerabilities.

Full List of Changes

• Updated application PHP dependencies.
• Add some additional resource-based limits. (#5968)
• Updated translations with latest Crowdin changes. (#5962)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added user mentions for comments. (#5944, #560)
• Added slug history tracking system. (#5913, #5411)
• Added initial developer API for the new WYSIWYG editor. (#5928, #5763)
• Added internal reference handling on content copying. (#5917, #3239)
• Added settings to control the number of books/shelves that will be displayed per page. Thanks to @Xenoamor. (#5606, #2343)
• Updated translations with latest Crowdin changes. (#5933)
• Updated new WYSIWYG editor with a range of fixes. (#5939)
• Updated BookStack system CLI to v0.4. (#5956)
• Updated CSS dark/light mode handling so all CSS variables exist by default. (#5923)
• Updated "Microsoft URL Rewrite Module for IIS" download link. Thanks to @gerundt. (#5952)
• Updated image thumbnail generation to more reliably log issues on error. (#5869)
• Updated database to add index to views table to make view-based queries more efficient. (#5948)
• Updated application database requirements. (#5882)
• Fixed search pagination not using APP_URL value, and breaking for sub-path usage. (#5951)
• Fixed search pagination overflowing view on smaller screen sizes. (#5920)

Security Release

• Update Instructions
• Update details on blog

BookStack v25.11.6 has been released.

This is a security release to address a vulnerability in our dependencies related to XML
handling, which could allow users to replay SAML authentication requests with specially crafted & manipulated requests.

It's strongly advised to update if you're using SAML authentication for BookStack.

Full List of Changes

• Updated application PHP dependencies.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated OIDC state handling to prevent other requests causing the process to fail, which was occurring in Chromium based browsers. (#5929)
• Updated session history handling to prevent redirects to common asset locations. (#5925)
• Updated PHP dependency versions.

Note: This was originally accidentally published as v24.11.4, so this is essential a re-publish with the correct version.
The wrong version number commit/history has been retained though to prevent any breakages for git-managed environments.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed error thrown when attempting to send new comment notifications. (#5918)
• Updated PHP dependency versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed overly-strict image access permission changes in v25.11.2 which could block images when a secure storage option was used alongside public access. (#5906, #5909)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed image permission checking in ZIP exports to prevent error and to align with UI access. (#5899, #5885)
• Updated translations with latest Crowdin changes. (#5887)
• Updated test environment refresh database command to set env timezone option to ensure test database is consistent. (#5881)
• Updated app PHP dependencies to latest versions.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixes database queries causing errors with versions of MySQL <= 5.7. (#5877)

Links

• Release video overview
• Update instructions
• Update details on blog

Full List of Changes

• Added API endpoints for comments. (#5850, #4194))
• Added API endpoints for reading image data. (#5860, #5519)
• Added Groovy code syntax highlighting support. (#5822)
• Added new flags to the create admin command. (#5749)
• Added option for display timezone, and improved UI use consistency. (#5790, #4786)
• Added proper pagination to search. (#5854)
• Updated API docs with better model ordering, and quick navigation select. (#5865)
• Updated codebase to meet PHPstan level 3. (#5785)
• Updated database comments table to remove redundant text column. (#4821)
• Updated database format for core item types. (#5800)
• Updated framework to Laravel 12, and perform some major dependency upgrades. (#5782)
• Updated page delete handling to nullify related images instead of leaving old IDs. (#5846)
• Updated permission handling in code to use enums instead of strings. (#5793)
• Updated translations with latest Crowdin changes. (#5843)
• Updated user delete handling to nullify, or better handle, ID references on delete. (#5844)
• Fixed old API-scripts link leading to archived repo. (#5813)
• Fixed search timeout when a high per-page frequency match was encountered. (#5863)

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#5786)
• Updated PHP package versions.
• Fixed PWA manifest access when behind authenticated proxies. Thanks to @tfnh621. (#5820)