BookStack Security Release v25.12.9

Dan Brown posted on the 12th of March 2026

BookStack v25.12.9 has been released.

This is a security release to address a vulnerability where style code in page content could be used to manipulate the page beyond the expected content area in some revision views, opening up risk of potential phishing and/or tracking by bad page editors.

We advise that you update your instance if you allow untrusted users to create or edit pages.

Thanks to Alex Dan (@windbreaker555 on GitHub) for their responsible discovery and reporting of this issue.

Full List of Changes

Updated page revision diffs to use content filtering.
Updated preference change redirect with stronger origin checks.
Updated application PHP dependencies.

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask in the BookStack Community.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Andrew Tryon (CC-BY-SA 2.0) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or in the BookStack Community.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts