LoginSign Up
← Back to all sparks
B

BookStack

COLLAB
Velocity1.3

Self-hosted documentation/wiki platform with WYSIWYG editing.

www.bookstackapp.com

BookStack opened a real theme extension surface, then spent six weeks patching CVEs.

self-hosted documentationsecurity patchingtheme extensibilityresponsible disclosurewikiphp
Current state
BookStack shipped v26.03 in mid-March 2026 with a meaningful new theme module system and several theme events (page render, pre-save, OIDC URL customization) — the first time the project's customization surface has had real extension points rather than just template overrides. The next six weeks were almost entirely security work: four security-marked patch releases (v25.12.9, v26.03.1, v26.03.2, v26.03.4) addressing role-escalation via registration, hidden content leaking through markdown exports, style-code injection in revision diffs, and attachment/webhook URL validation gaps. Multiple researchers credited per release.
Where it's heading
The arc is 'open up the platform, then defend it' — adding extension points was the v26.03 push, and the subsequent CVE volume reads as a coordinated audit response (often two researchers credited per advisory, suggesting public attention from pen-testers). The 25.12.x line is also still being patched in parallel, indicating the team is supporting both branches rather than forcing rapid upgrades.
Prediction
Expect another v26.03.x patch release if the audit cycle isn't complete, then a return to feature work — likely more theme-event coverage and exposing more lifecycle hooks to match what the new module system can attach to. The dual-branch maintenance pattern probably continues until v25.12 hits its support cutoff.

Recent moves

  1. 21d ago

    v26.03.4: attachment permission and webhook URL validation patches

    v26.03.4 is a security cut tightening attachment delete permission checks and closing webhook URL validation workarounds for instances using ALLOWED_SSR_HOSTS. Same release fixes a search bug where exact-term negation returned no results. Two outside researchers credited.

    View source ↗
  2. 1mo ago

    v26.03.3: PHP dependency bumps and translation refresh

    v26.03.3 is a small maintenance release — PHP package updates and the latest Crowdin translations. Routine hygiene between the v26.03 feature cut and the next security patch.

    View source ↗
  3. 1mo ago

    v26.03.2: registration form role-escalation patch

    v26.03.2 closes a registration-form vulnerability that could be manipulated to gain additional roles — strongly advised for any instance with open user registration. Two researchers credited; the team also bundles WYSIWYG behavior consistency fixes and translation updates.

    View source ↗
  4. 2mo ago

    v26.03.1: hidden page content leaking through markdown exports

    v26.03.1 fixes a permission-bypass where page content marked hidden by permissions could leak through certain markdown export paths. Two researchers credited; companion fix tightens filename handling for file serving.

    View source ↗
  5. 2mo ago

    v26.03: theme module system, theme events for render and pre-save, OIDC URL hook

    ⚡ SPARK

    v26.03 introduces a real extension surface — a theme module system that occupies a dedicated modules/ folder, theme events for page content render and pre-save, an event/class to insert custom views before/after others, and a hook to customize the OIDC authentication URL. Marks the shift from template-override customization to a proper plugin-style integration model.

    View source ↗
  6. 2mo ago

    v25.12.9: revision-diff style injection and origin-check hardening

    v25.12.9 patches a vulnerability where style code in page content could escape its container in revision-diff views, opening phishing/tracking risk. Same release tightens origin checks on the preference-change redirect. Confirms BookStack is supporting v25.12 in parallel with the v26.03 line.

    View source ↗