BookStack
Self-hosted documentation/wiki platform with WYSIWYG editing.
Security-first wiki on a steady cadence; v26.05 lands the year's biggest feature batch
◆Recent moves
- 1d ago
Security release: centralized URL filtering, comment-permission checks
The latest in BookStack's near-monthly security cadence: URL/redirect filtering consolidated into a centralized utility, srcset protocol filtering, and a comment-delete visibility check, plus a Serbian language add. Continues the steady hardening of the attack surface for public and multi-tenant instances.
View source ↗ - 24d ago
Security release: attachment metadata leak and file:// export fixes
A security release closing an attachment-metadata leak, blocking file:// protocol abuse in exports on Windows, and hardening search against log-flooding. Reinforces the project's focus on untrusted-editor and public-viewing threat models.
View source ↗ - 1mo ago
Feature release: tag API, page contents view, revision permissions
The cadence's feature anchor: a tag-browsing API, an in-editor page contents view, granular revision-view permissions, custom-font PDF export, and in-UI MFA reset. Broadens both the API surface and the permission granularity operators have been requesting.
View source ↗ - 1mo ago
Security release: MFA brute-force rate limiting
Security release adding rate limiting to MFA verification routes to blunt brute-force attempts, alongside dependency updates. Part of the ongoing hardening of authentication paths.
View source ↗ - 2mo ago
Security release: attachment permission and webhook URL hardening
Security release aligning attachment permission checks with page access and hardening webhook URL validation against escaping workarounds, plus a search-negation fix. More incremental closing of untrusted-user edge cases.
View source ↗ - 2mo ago
Maintenance: translations and PHP dependency updates
A maintenance drop of translation refreshes and PHP dependency bumps with no user-facing change.
View source ↗