LoginSign Up
← Back to all sparks
B

BookStack

COLLAB
Velocity5.0

Self-hosted documentation/wiki platform with WYSIWYG editing.

www.bookstackapp.com

BookStack runs a disciplined security-release cadence, with occasional CalVer feature drops.

self-hosteddocumentationsecurity-releasesaccess-controlopen-sourcecalver
Current state
BookStack, the self-hosted documentation/wiki platform, ships on a CalVer cadence dominated by security releases — attachment permission leaks, MFA brute-force hardening, registration role-escalation fixes. Interleaved are smaller feature versions (v26.05 brought folder-permission and export-font changes). The feed reads as a maintainer prioritizing safety and steady upkeep over headline features.
Where it's heading
The pattern is a maintained, security-first open-source project: frequent, narrowly-scoped patch releases that fix concrete vulnerabilities quickly, punctuated by modest feature releases. The recurring theme is permission and attachment-access hardening, suggesting an ongoing tightening of BookStack's access-control model as it's deployed in multi-user, untrusted-user settings.
Prediction
Expect the prompt security-release rhythm to continue, with permission-model and attachment-handling fixes remaining the most common subject, and periodic CalVer feature versions adding incremental capability. No directional pivot is visible in these entries.

Recent moves

  1. 18d ago

    v26.05.1: security fix for attachment metadata leak

    A security release fixing an attachment-request manipulation that could leak metadata and links (not content) of attachments a user lacked permission for. Routine but advised security maintenance.

    View source ↗
  2. 1mo ago

    v26.05: folder permissions and export font changes

    A feature release introducing folder permissions and changes to how fonts are handled for exports, requiring a post-update storage adjustment. The most substantive functional drop in the recent run, extending the permission model rather than just patching it.

    View source ↗
  3. 1mo ago

    v26.03.5: MFA brute-force hardening

    A security release addressing a brute-force vulnerability in multi-factor authentication and refreshing project libraries. Standard hardening on the auth path.

    View source ↗
  4. 1mo ago

    v26.03.4: attachment permission and webhook URL fixes

    A security release improving attachment permission checks and webhook URL validation, advised where untrusted users can manage attachments. Continues the attachment-access hardening theme.

    View source ↗
  5. 2mo ago

    v26.03.3: translation and dependency updates

    A maintenance release updating Crowdin translations and PHP dependency versions. Housekeeping with no functional change.

    View source ↗
  6. 3mo ago

    v26.03.2: registration role-escalation fix

    A strongly-advised security release fixing a registration-form manipulation that could grant additional roles. Critical-path access-control fix for instances allowing self-registration.

    View source ↗