← Back to all sparks
B

BookStack

COLLAB
Velocity5.0

Self-hosted documentation/wiki platform with WYSIWYG editing.

Security-first wiki on a steady cadence; v26.05 lands the year's biggest feature batch

securitywikiself-hosteddocumentationpermissionsapi
Current state
BookStack is a mature self-hosted wiki shipping on a near-monthly cadence dominated by security releases. The recent arc pairs a substantial v26.05 feature drop with a steady stream of patch releases hardening URL filtering, attachments, MFA, and permission checks. The project's priority is clearly locking down untrusted-editor and public-instance scenarios while keeping the feature surface moving.
Where it's heading
The pattern is a feature-anchor release (v26.03, v26.05) followed by a run of point releases that are almost entirely security and dependency hardening. Feature work is trending toward finer-grained permissions (separate revision-view control), a broader API (tag browsing), and export/editor polish. Expect the same rhythm to continue: one meaty minor, then hardening.
Prediction
The next release is likely another security/dependency point release (v26.05.3 or similar) continuing the attachment/URL-filtering hardening, with the following feature minor extending the API and permission model.

Recent moves

  1. 1d ago

    Security release: centralized URL filtering, comment-permission checks

    The latest in BookStack's near-monthly security cadence: URL/redirect filtering consolidated into a centralized utility, srcset protocol filtering, and a comment-delete visibility check, plus a Serbian language add. Continues the steady hardening of the attack surface for public and multi-tenant instances.

    View source ↗
  2. 24d ago

    Security release: attachment metadata leak and file:// export fixes

    A security release closing an attachment-metadata leak, blocking file:// protocol abuse in exports on Windows, and hardening search against log-flooding. Reinforces the project's focus on untrusted-editor and public-viewing threat models.

    View source ↗
  3. 1mo ago

    Feature release: tag API, page contents view, revision permissions

    The cadence's feature anchor: a tag-browsing API, an in-editor page contents view, granular revision-view permissions, custom-font PDF export, and in-UI MFA reset. Broadens both the API surface and the permission granularity operators have been requesting.

    View source ↗
  4. 1mo ago

    Security release: MFA brute-force rate limiting

    Security release adding rate limiting to MFA verification routes to blunt brute-force attempts, alongside dependency updates. Part of the ongoing hardening of authentication paths.

    View source ↗
  5. 2mo ago

    Security release: attachment permission and webhook URL hardening

    Security release aligning attachment permission checks with page access and hardening webhook URL validation against escaping workarounds, plus a search-negation fix. More incremental closing of untrusted-user edge cases.

    View source ↗
  6. 2mo ago

    Maintenance: translations and PHP dependency updates

    A maintenance drop of translation refreshes and PHP dependency bumps with no user-facing change.

    View source ↗