Log in
BookStack v26.05.1
Security Release
This is a security release to address the following vulnerabilities:
- Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
- The
file://protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.- This protocol is now filtered from interactive content.
- The search system could be abused to cause errors and fill logs.
Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.
Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (LinkedIn), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.
Full List of Changes
- Updated PHP package versions.
- Updated translations with the latest Crowdin changes.
- Updated content allow-filtering to only allow the
file://protocol on anchor hrefs, instead of in all dynamic content. - Updated attachment update handling to validate permissions before request content.
- Fixed numeric handling issue in tag search when using non-standard numbers.
