VOOZH about

URL: https://www.bookstackapp.com/blog/

⇱ BookStack Blog · BookStack

BookStack Blog

BookStack v26.05.1 has been released. This is a security release to address the following vulnerabilities: Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view. The file:// protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports. This protocol is now filtered from interactive content. The search system could be abused to cause errors and fill logs. Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access. »

BookStack v26.05 releases today containing a varied bundle of little enhancements across the board. This also marks our first feature release which comes managed via Codeberg after our migration from GitHub! »

BookStack v26.03.5 has been released. This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those. »

BookStack v26.03.4 has been released. This is a security release to improve attachment related permission checks, and URL validation for webhooks. »

There have been a few recent developments in regard to BookStack’s community spaces so I thought I’d create a post to share what’s been going on. »

BookStack v26.03.2 has been released. This is a security release to address a vulnerability where the registration form could be manipulated to gain access to additional roles. »

BookStack v26.03.1 has been released. This is a security release to address a vulnerability where page content, which should be hidden by permissions, could be visible during certain markdown exports. »

The March 2026 BookStack release arrives today, with a focus on powering-up some of the core customization & extension options to allow new possibilities and easier usage. »

BookStack v25.12.9 has been released. This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors. »

BookStack v25.12.4 has been released. This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors. »

BookStack v25.12.3 has been released. This is a security release to address a vulnerability where form elements in page content could be used to trick more privileged users into making API requests. »

2025 has been a big year for BookStack, especially with us reaching a decade of BookStack back in July! As we jump into 2026 we’ll take this opportunity to look back at how the project has progressed over the last year: »

BookStack v25.12.1 has been released. This is a security release which adds limits to search operations, and adds size checks to ZIP import files before they are extracted. These changes help prevent potential abuse to host disk space usage and/or service availability. »

Merry Christmas and happy holidays! Today we release BookStack v25.12. With prior recent releases being focused on back-end changes, I focused on this next release being a Christmas present composed of a variety of improvements and additions that would more directly impact BookStack users, so I hope you find something merry in this new version of BookStack! »

BookStack v25.11.6 has been released. This is a security release to address a vulnerability in our dependencies related to XML handling, which could allow users to replay SAML authentication requests with specially crafted & manipulated requests. »

Today arrives BookStack v25.11 which makes some significant changes to the database structure, while expanding on API capabilities along with other various improvements. »

Today we release the July 2025 version of BookStack which brings a varied bundle of improvements across the platform for better editing, extra customization capabilities and more! »

BookStack is now over 10 years old! The initial commit for the project was made on the 12th of July 2015, and here we are a decade later. A massive thanks to all those who have contributed to the project. Whether that’s via providing code, reporting issues, providing translations, sponsoring, purchasing support, creating content, interacting with the community, or even just mentioning BookStack to others; This all helps drive the project forward and build motivation to keep the platform evolving. »

Today we have the May 2025 release of BookStack. The headline features of this new version are focused on new comment abilities but we have some other goodies packaged in also! »

For a while I’ve been playing with the idea of being able to mount a BookStack instance as a Linux file system. I attempted this a while ago, but recently dedicated a day to finishing up a proof on concept for this. The resulting project, with usage details, can be found here on Codeberg: »

Today we release BookStack v25.02! This aimed to be a maintenance release with the primary goal of upgrading our core framework, but it grew a little to include some goodies like automatic sorting, theme system additions, and editor improvements. »

As we cross over yet another year boundary we look back at the progress, maintenance and funding of the project for 2024 with a view of potential plans in 2025: »

For this Christmas time period we have BookStack v24.12 which includes the gift of a new import & export format, while improving upon the new editor introduced in the last release. »

BookStack v24.10.2 has been released. This is a security release to address a vulnerability in our dependencies where specifically formatted requests could be used to manipulate application configuration in environments where a certain PHP option (register_argc_argv) is enabled. This is not an option that’s typically enabled in production web-serving environments, but it’s advised to update where uncertain. »

This laggard of a release finally lingers to deployment this day in October bringing the first alpha-state inclusion of the new WYSIWYG editor, which has been the main development focus, but that doesn’t stop a few other goodies being included for this release too! »

Since we’ve gone a few months without an update I thought it’d be good to provide a post regarding project progress & other activities, so here’s what’s been going on over the last few months: »

BookStack v24.05.4 has been released. This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, and an issue with content visibility in “book-show” API responses which would not have permissions applied properly. »

Today the BookStack project becomes 9 years old! Like last year’s post, and the years before it, we’ll take this as an opportunity to provide an update on the status of the project including the financials, current development status, and the growth figures. »

BookStack v24.05.1 has been released. This is a security release that adds extra rate-limiting to some forms that are accessible without authentication, while also implementing changes to prevent methods that could be used to indicate if specific user emails exist in the system. »

Today we release a new BookStack feature update that’s mainly focused on updating the core underlying framework and some accompanying code, but that work comes with a sprinkling of extra additions and tweaks too. »

For our first feature release of 2024 we have a variety enhancements to enjoy! Many of these build upon the work from the previous release, while many others address some common pain-points in BookStack. »

BookStack v23.12.3 has been released. This is a security release that addresses a vulnerability in PDF generation that could be exploited to perform blind server-side-request forgery. »

As we enter into 2024 I thought we’d once again look back over the past year to review the development of the platform throughout 2023 while also diving into topics about the wider project including funding and the impact of AI. »

As a little Christmas-time treat we have BookStack v23.12 slipping in as the last release of the year. This release focuses on providing a simple WYSIWYG editor for description inputs, along with adding default page templates within books, in addition to some other additional gifts. »

BookStack v23.10.3 has been released. This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system. Additionally, this update addresses a lack of permission check in some image creation actions. »

This October maintenance release brings with it more than originally planned, with a significant revamp of user self-management in addition to an updated editor design, along with many other additions & improvements. »

The August release of BookStack is now here! This is focused upon an initial implementation of a notification system for content, but as usual there are a few other improvements to enjoy. »

Since setting it up in 2021, the BookStack YouTube channel has grown to be a fairly significant repository of guides and visual project updates. Our following on YouTube has also grown reaching 1.5k subscribers, which means I can even earn from our content on the platform as an extra minor revenue stream. »

As we veer towards the middle of July we hit the 8-year mark for the BookStack project. Following the pattern from previous years, we’ll compare the project’s various metrics year-on-year, and provide an update on finances. »

Today brings us BookStack v23.06 which aims to improve how comments are displayed & used, while also providing a revamp to the image manager among many other fixes and improvements. »

BookStack v23.05 releases today, sneaking into the start of May with a bunch of additions, updates and changes including a new command line tool to help with admin operations. »

There’s no new feature release for BookStack this month, due to various distractions and the type of work done in this release cycle, so I thought it’d be good to instead provide a general project update to highlight what has happened in the last month or so. »

BookStack v23.02 is here, acting primarily as a maintenance release to upgrade the underlying framework while optimizing things and making a few other additions. »

Over the last few years BookStack has gained a few different methods that can be used to customize functionally and aesthetics. Quite often, for ideas that don’t quite fit for quick implementation within the core BookStack codebase, I’d provide a simplistic customization that can used to achieve that idea right now, using BookStack’s methods of hackery. These were scattered around GitHub issues, GitHub gists and discord messages, which required me to also provide implementation guidance each time. To organize and streamline the process of sharing these, there’s now a dedicated section on the BookStack site: »

BookStack v23.01.1 has been released. This is a security release that addresses a potential vulnerability in PDF generation that could be used to make server-side requests or run potential other PHP code. »

To start off our releases for the year we have BookStack v23.01 which adds many user experience enhancements & options while also making subtle further back-end changes to permissions. »

Well 2022 is now in the past. During the year BookStack had a few milestones which included reaching the top of Hacker News, becoming 7 years old and hitting 10K stars on GitHub. In this post we’ll look back on how the project has progressed over the year, not just in terms of the codebase but also elements of the wider project as a whole. »