v26.03-ls252

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.9-ls251...v26.03-ls252

Remote Changes:

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#5998)
• Added logical theme events for page content render and pre-save. (#6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#6014)
• Updated book delete to return to the parent shelf in a shelf context. (#6029)
• Updated book read API endpoint to provide parent shelf information. (#6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @lublak. (#5864)
• Updated description for per-page display limits. (#6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#5990)
• Updated translations with latest Crowdin changes. (#6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#5724)

v25.12.9-ls251

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.8-ls250...v25.12.9-ls251

Remote Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

v25.12.8-ls250

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.8-ls249...v25.12.8-ls250

Remote Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

v25.12.8-ls249

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.8-ls248...v25.12.8-ls249

Remote Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

v25.12.8-ls248

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.6-ls247...v25.12.8-ls248

Remote Changes:

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

v25.12.7-ls247

CI Report:

N/A

LinuxServer Changes:

No changes

Remote Changes:

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#6026)

v25.12.6-ls247

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.4-ls246...v25.12.6-ls247

Remote Changes:

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#6026)

v25.12.5-ls246

CI Report:

N/A

LinuxServer Changes:

No changes

Remote Changes:

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#6023)

v25.12.4-ls246

CI Report:

N/A

LinuxServer Changes:

• Add purifier directory to framework symlinks by @thespad in #284

Full Changelog: v25.12.4-ls245...v25.12.4-ls246

Remote Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

v25.12.4-ls245

CI Report:

N/A

LinuxServer Changes:

Full Changelog: v25.12.3-ls244...v25.12.4-ls245

Remote Changes:

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.