BookStack Security Release v25.12.4

Dan Brown posted on the 17th of February 2026

BookStack v25.12.4 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to SeongYun Moon (@Moonster8282 on GitHub) for their responsible discovery and reporting of this issue.

Additional Update Notices

• Page Content - As of this release, extra layers of filtering have been applied to page content. While we have tried to ensure this has minimal impact on content, it’s possible this will lead to extra elements being filtered.
• Option Change - The ALLOW_CONTENT_SCRIPTS env option is now considered deprecated. It’s advised to use the APP_CONTENT_FILTERING option, as documented here, instead if needed.

If you experience issues with your page content being over-filtered feel free to raise an issue on GitHub where we can check if the behavior is intentional or something which needs to be patched.

You can use the new page content filtering option, with a value of jhf which should match the prior version filtering, but this will remove a layer of content filtering security so is not recommend.

Full List of Changes

• Added new option for more granular page filter control.
• Updated page content filtering to detect extra cases, and to apply a more aggressive allow-list style filter.
• Updated application PHP dependencies.

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

• Open an issue in the BookStack GitHub repository.
• Ask on the BookStack Discord chat.
• Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Michal Klajban (CC-BY-SA 4.0) - Image Modified