BookStack Security Release v26.05.1

Dan Brown Dan Brown posted on the 9th of June 2026

BookStack v26.05.1 has been released.

This is a security release to address the following vulnerabilities:

  • Attachment requests could be manipulated to leak details/links/metadata (not content) of attachments which the user did not have permission to view.
  • The file:// protocol could be abused in some Windows-specific scenarios to auto-run requests with credential information when viewing exports.
    • This protocol is now filtered from interactive content.
  • The search system could be abused to cause errors and fill logs.

Upgrade is advised for instances with public viewing enabled, or where untrusted users have authenticated access.

Thanks to Stephen O. / Sakusen (Codeberg, Website), Gurmandeep Deol (of Seneca Polytechnic), Rafael Castilho (X account) and Gabriel Duarte Guerra (GitHub) for responsibly reporting these issues.

Full List of Changes

  • Updated PHP package versions.
  • Updated translations with the latest crowdin changes.
  • Updated content allow-filtering to only allow the file:// protocol on anchor hrefs, instead of in all dynamic content.
  • Updated attachment update handling to validate permissions before request content.
  • Fixed numeric handling issue in tag search when using non-standard numbers.

For More Information

You can find update instructions here.
If you have any questions or comments about this advisory:

Header Image Credits: Photo by Julian Herzog (cc-by-sa-4) - Image Modified

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or in the BookStack Community.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts