BookStack Security Release v26.05.2
Dan Brown posted on the 2nd of July 2026
BookStack v26.05.2 has been released.
This is a security release to address some edge case vulnerabilities related to URL filtering, redirect handling, and permission checking, while also updating dependencies to help prevent known potential vulnerabilities in those being exploited.
Upgrading is advised for instances with public access enabled, or for instances where untrusted users are able to edit content.
Thanks to Gurmandeep Deol (LinkedIn) and MFK25 for responsibly reporting issues addressed in this release.
Full List of Changes
- Added Serbian language to language_select array. Thanks to @PolarniMeda. (#6153)
- Updated PHP package versions.
- Updated translations with the latest crowdin changes.
- Updated content allow-filtering to consider protocols used in srcset attributes.
- Updated URL filtering with a more thorough centralized utility class.
- Updated comment delete action to also check comment visibility permissions.
- Updated referring URL use with stronger source validation.
- Updated translations with latest crowdin changes. (#6166)
For More Information
You can find update instructions here.
If you have any questions or comments about this advisory:
- Ask in the BookStack Community.
- Open an issue in the BookStack Codeberg repository.
- Follow the BookStack security policy to contact someone privately.
Header Image Credits: Photo by Julian Herzog (cc-by-sa-4) - Image Modified