Freshrss Release Notes

Milestone

This is a major release.

Feature highlights✨:

• New sort order preferences at global, category, and feed levels
• Use feed-provided icon
• New option to hide sidebar by default
• Show time since when a feed has problems
• New functions to handle plural in internationalisation
• New cli/purge.php to apply purge policy from command line

Bug fixes highlights 🐛:

• Improve support of PHP 8.5+
• Several fixes related to searches

Security highlights 🛡:

• Limit cURL to protocols HTTP, HTTPS

UI highlights 🖼:

• Improve mobile view with multiple lines when thumbnails and summaries are shown
• Several themes improved

Extensions highlights 🧩:

• New Webhook extension for automated RSS notifications
• New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM

This release has been made by @Alkarex, @Inverle, @Kiblyn11, @math-GH, @rupakbajgain, @xtmd and newcomers @polybjorn, @olivluca, @tomasodehnal, @PeterVavercak, @mrtnrdl, @ale-rt, @cweiske, @rid3r45, @gabbihive, @drosell271, @Kachelkaiser, @zanivann, @nanos, @bowencool, @pe1uca, @matheusroberson, @DenuxPlays, @rlrs, @chanse-syres, @IEEE-754, @umaidshahid, @michi-onl

Full changelog:

Features

• New sort order preferences at global, category, and feed levels #8234
• New filtering by date of Server modification date #8131, #8576
• Corresponding search operator, e.g. mdate:P1D for finding articles modified by the author / server during the past day.
• Especially useful for optimising the API synchronisation.
• Use feed-provided icon #8633
• New option to automatically mark new articles as read if an identical GUID already exists in the same category #8673
• Automatic feed visibility/priority during search #8609
• Add feed visibility filter to statistics view unread dates #8489
• Add option to enable/disable notifications, also for PWA #8458
• Add a form to create new user queries on the User Queries page #8623
• Allow WebSub hub push from same private network #8450
• Support category field in JSON feed import #8786

Bug fixing

• Fix wrong search toString in case of regex-looking string #8479
• Fix article last seen date in case of feed errors #8646
• Fix search expansion with backslash #8497
• Fix user query parsing #8543
• Fix search in shared user queries #8789
• Fix redirect to wrong view after mark as read in reader and global views #8552
• Fix SQLite paging when sorting by article length #8594
• Fix change sorting during paging #8688
• Fix SQL keyset pagination when sorting by category name #8597
• Fix SQL duplicates in the user labels when sorting randomly #8626
• Fix wrong error redirect in subscription management #8625
• Fix do not include hidden feeds when counting total number of unread articles #8715
• Update user modify date when changing extensions UserJS / UserCSS #8607
• Non-strict OPML export #eedefb

Security

• Limit cURL to protocols HTTP, HTTPS #8713
• Better sanitise favicon URLs #8714
• New setting for <iframe> referrer allow list #8672
• Fix email validation and allow error page for unverified email users #8582
• Add allowfullscreen to <iframe> #8467
• Rewrite Set-Cookie using native PHP support of SameSite #8447, #8778
• Sanitize lifetime of session cookies from session.cookie-lifetime in php.ini
• Update to <meta name="referrer" content="no-referrer" /> from deprecated never #8725
• Preventive measure against search ingestion #8777

UI

• New option to hide sidebar by default #8528
• Improve mobile view with multiple lines when thumbnails and summaries are shown #8631
• New option to disable unread counter in tab title and favicon #8728
• Show time since when a feed has problems #8670
• Improve add feed UI #8683
• Improve slider behaviour when using navigate back button #8496, #8524
• Improve consistency of slider behaviour after submitting form #8612
• Create dynamic favicons from SVG instead of PNG canvas #8577, #8588
• Only display scrollbar everywhere if there's an overflow (especially for Chromium) #8542
• Fix CSS padding of .content pre code #8620
• Fix wrong navigation buttons layout on Chromium #8606
• Fix don’t mark as read if middle click is outside of article link #8553
• More robust JS #8595
• Fix sidebar slide animation at narrow viewports #8747
• Visually dim disabled users in user management table #8768
• Improve multiple UI themes #8711, #8732,
  #8733, #8734, #8735,
  #8736, #8737, #8738,
  #8739, #8743, #8746,
  #8749, #8761, #8781,
  #8784, #8785
• Various UI and style improvements: #8537, #8538,
  #8541, #8624, #8731,
  #8774

Deployment

• Also push Docker images to GitHub registry #8669
• Improve support of PHP 8.5+ using Pdo\Mysql #8526
• Add support for Podman in Makefile #8456
• Re-add database status in installation check #8510
• Docker / CLI: Allow chown/chmod to fail with warning #8635

Extensions

• New Webhook extension for automated RSS notifications Extensions#456
• New LLM Classification extension to automatically tag incoming articles based on a prompt sent to an LLM Extensions#458
• New extension methods to get typed configuration values #8696
• New hook: Minz_HookType::ActionExecute #8599, #8603
• New hook to modify the list of feeds to actualize #8655, #8675
• Allow passing Minz_HookType as hook name in registerHook() #8600
• Return more info and status from httpGet() #8700
• Make httpGet() cache nullable #8705
• Allow extensions’ configuration UI to use select-input-changer JavaScript helper #8721

SimplePie

• Bump upstream #8628, simplepie#71
• New function get_icon_url() for feed favicon simplepie#974
• Fix Undefined array key in get_thumbnail() #8634, simplepie#970
• Fix int types for enclosures #8702, simplepie#975
• Fix HTTPS headers given to SimplePie, e.g. for some HTTP/2 cases #8742

CLI

• New cli/purge.php to apply purge policy #8740

I18n

• CLI validate language directory names #8767
• New functions to handle plural, and new timeago() #8670
• Improve German #8491, #8557, #8689,
  #8704
• Improve Italian #8517, #8519, #8554,
  #8555, #8556, #8566
• Improve Latvian #6553
• Improve Polish #8536
• Improve Portuguese #8649
• Improve Simplified Chinese #8474, #8475, #8476
• Improve Traditional Chinese #8709, #8716, #8723,
  #8730, #8748
• Improve Spanish #8572

Misc.

• Initial conventions for AI agents and humans: AGENTS.md, SKILLS.md, instructions.md #8478
• Update to CSSXPath 1.5.0 #8642
• Update to PHPMailer 7.0.2 #8483
• SQL improve PHP syntax uniformity #8604
• Trim SQL whitespace before parenthesis #8522
• Improve PHP code #8627, #8644, #8753,
  #8697
• Add dev legacy rules PHPCS 3 #8645
• Update dev dependencies #8469, #8480, #8499,
  #8545, #8546, #8547,
  #8617, #8638, #8660,
  #8661, #8662, #8663,
  #8664, #8665, #8666,
  #8667, #8668, #8685,
  #8752, #8754, #8755,
  #8756, #8757, #8758,
  #8772, #8798

Original source

Features

• New sort order preferences at global, category, and feed levels (#8234)
• New filtering by date of Server modification date (#8131, #8576)
  • Corresponding search operator, e.g. mdate:P1D for finding articles modified by the author / server during the past day.
  • Especially useful for optimising the API synchronisation.
• Automatic feed visibility/priority during search (#8609)
• Add feed visibility filter to statistics view unread dates (#8489)
• Add option to enable/disable notifications, also for PWA (#8458)
• Allow WebSub hub push from same private network (#8450)

Bug fixing

• Fix wrong search toString in case of regex-looking string (#8479)
• Fix search expansion with backslash (#8497)
• Fix user query parsing (#8543)
• Fix redirect to wrong view after mark as read in reader and global views (#8552)
• Fix SQLite paging when sorting by article length (#8594)
• Fix SQL keyset pagination when sorting by category name (#8597)
• Update user modify date when changing UserJS/UserCSS (#8607)
• Non-strict OPML export (#eedefb)

Security

• Fix email validation and allow error page for unverified email users (#8582)
• Add allowfullscreen to (#8467)
• Rewrite Set-Cookie using native PHP support of SameSite (#8447)
  • Sanitize lifetime of session cookies from session.cookie-lifetime in php.ini

UI

• Add option to hide sidebar by default (#8528)
• Improve slider behaviour when using navigate back button (#8496, #8524)
• Improve consistency of slider behaviour after submitting form (#8612)
• Create dynamic favicons from SVG instead of PNG canvas (#8577, #8588)
• Only display scrollbar everywhere if there's an overflow (especially for Chromium) (#8542)
• Fix CSS padding of .content pre code (#8620)
• Fix wrong navigation buttons layout on Chromium (#8606)
• More robust JS (#8595)
• Various UI and style improvements: (#8537, #8538, #8541)

Deployment

• Improve support of PHP 8.5+ using Pdo\Mysql (#8526)
• Add support for Podman in Makefile (#8456)
• Re-add database status in installation check (#8510)

Extensions

• Add new hook: Minz_HookType::ActionExecute (#8599, #8603)
• Allow passing Minz_HookType as hook name in registerHook() (#8600)

I18n

• Improve German (#8491, #8557)
• Improve Italian (#8517, #8519, #8554, #8555, #8556, #8566)
• Improve Polish (#8536)
• Improve Simplified Chinese (#8474, #8475, #8476)
• Improve Spanish (#8572)

Misc.

• Initial conventions for AI agents and humans: AGENTS.md, SKILLS.md, instructions.md (#8478)
• Update to PHPMailer 7.0.2 (#8483)
• SQL improve PHP syntax uniformity (#8604)
• Trim SQL whitespace before parenthesis (#8522)
• Update dev dependencies (#8469, #8480, #8499, #8545, #8546, #8547, #8617)

Original source

Features

• Handle Web scraping of text/plain as

   (#8340)

• New customisable message for closed registrations (#8462)

Bug fixing

• Fix unwanted expansion of user queries (saved searches) applied to filters (#8395)
• Fix encoding of filter actions for labels (#8368)
• Fix searching of tags (#8425)
• Fix refreshing feeds with token while anonymous refresh is disabled (#8371)
• Fix RSS and OPML access by token (#8434)
• Fix MySQL/MariaDB transliterator_transliterate fallback (when the php-intl extension is unavailable) (#8427)
• Fix regression with MySQL/MariaDB index hint (#8460)
• Auto-add lastUserModified database column also during mark-as-read action (#8346)
• Do not include hidden feeds when counting unread articles in categories (#8357)
• Remove wrong PHP deprecation of OPML export action (#8399)
• Fix shortcut for next unread article (#8466)
• Fix custom session.cookie-lifetime (#8446)
• Fix feed validator button when changing the feed URL (#8436)

Performance

• Disable counting articles in user labels for Ajax requests (unused) (#8352)

Security

• Change Content-Disposition: inline to attachment in f.php (#8344)
• Hardened user methods exists, mtime, ctime (#26c1102)

Deployment

• Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy (#8392)

SimplePie

• Update of CURLOPT_ACCEPT_ENCODING (#8376, simplepie#960, simplepie#962)
• Fix don’t preserve children inside disallowed element (#8443)
• Fixes before PHPStan 2 (#8445, simplepie#957)

Extensions

• Update .gitignore to ignore installed extensions (#8372)

UI

• Add data-category="3" to ease custom CSS styling of articles (#8397)
• Fix space between By: and the author’s name (#8422)

I18n

• Improve Brazilian Portuguese (#8411)
• Improve Dutch (#8403)
• Improve German (#8402)
• Improve Polish (#8408)
• Improve Spanish (#8464)

Misc.

• Update dev dependencies (#8387, #8388, #8389, #8390, #8391, #8393, #8453)

Original source

Milestone

This is a release focussing on bug fixing, in particular regressions from the release 1.28.0.

Selected new features

• New customisable message for closed registrations
• Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy
• Improved performance 🏎️:
• Disable counting articles in user labels for Ajax requests (unused)
• Many bug fixes 🐛

This release has been made by @Alkarex, @Frenzie, @Inverle and newcomers @ciro-mota, @eveiscoull, @hackerman70000, @Hufschmidt, @johan456789, @martgnz, @mmeier86, @netsho, @neuhaus, @RobLoach, @rupakbajgain.

Full changelog:

Features

• Handle Web scraping of text/plain as <pre class="text-plain"> #8340
• New customisable message for closed registrations #8462

Bug fixing

• Fix unwanted expansion of user queries (saved searches) applied to filters #8395
• Fix encoding of filter actions for labels #8368
• Fix searching of tags #8425
• Fix refreshing feeds with token while anonymous refresh is disabled #8371
• Fix RSS and OPML access by token #8434
• Fix MySQL/MariaDB transliterator_transliterate fallback (when the php-intl extension is unavailable) #8427
• Fix regression with MySQL/MariaDB index hint #8460
• Auto-add lastUserModified database column also during mark-as-read action #8346
• Do not include hidden feeds when counting unread articles in categories #8357
• Remove wrong PHP deprecation of OPML export action #8399
• Fix shortcut for next unread article #8466
• Fix custom session.cookie-lifetime #8446
• Fix feed validator button when changing the feed URL #8436

Performance

• Disable counting articles in user labels for Ajax requests (unused) #8352

Security

• Change Content-Disposition: inline to attachment in f.php #8344
• Hardened user methods exists, mtime, ctime #26c1102

Deployment

• Add username in Apache access logs (also in Docker logs): for GReader API, and for HTTP Basic Auth from reverse proxy #8392

SimplePie

• Update of CURLOPT_ACCEPT_ENCODING #8376, simplepie#960, simplepie#962
• Fix don’t preserve children inside disallowed <template> element #8443
• Fixes before PHPStan 2 #8445, simplepie#957

Extensions

• Update .gitignore to ignore installed extensions #8372

UI

• Add data-category="3" to ease custom CSS styling of articles #8397
• Fix space between By: and the author’s name #8422

I18n

• Improve Brazilian Portuguese #8411
• Improve Dutch #8403
• Improve German #8402
• Improve Polish #8408
• Improve Spanish #8464

Misc.

• Update dev dependencies #8387, #8388, #8389,

#8390, #8391, #8393,
#8453

Original source

Features

• New sorting and filtering by User modification date (#7886, #8090, #8118, #8130)
  • Corresponding search operator, e.g. userdate:PT1H for the past hour (#8093)
  • Allows finding articles marked by the local user as read/unread or starred/unstarred at specific dates for e.g. undo action.
• New sorting by article length (#8119)
• New advanced search form (#8103, #8122, #8226)
• Add compatibility with PCRE word boundary \b and \B for regex search using PostgreSQL (#8141)
• More uniform SQL search and PHP search for accents and case-sensitivity (e.g. for automatically marking as read) (#8329)
• New overview of dates with most unread articles (#8089)
• Allow marking as read articles older than 1 or 7 days also when sorting by publication date (#8163)
• New option to show user labels instead of tags in RSS share (#8112)
• Add new feed visibility (priority) Show in its feed (#7972)
• New ability to share feed visibility through API (implemented by e.g. Capy Reader) (#7583, #8158)
• Configurable notification timeout (#7942)
• OPML export/import of unicity criteria (#8243)
• Ensure stable IDs (categories, feeds, labels) during export/import (#7988)
• Add username and timestamp to SQLite export from Web UI (#8169)
• Add option to apply filter actions to existing articles (#7959, #8259)
• Support CSS selector ~ subsequent-sibling (#8154) (Upstream PR phpgt/CssXPath#231)
• Rework saving of configuration files for more reliability in case of e.g. full disk (#8220)
• Web scraping support date format as milliseconds for Unix epoch (#8266)
• Allow negative category sort numbers (#8330)

Performance

• Improve SQL speed for updating cached information (#6957, #8207, #8255, #8254)
• Fix SQL performance issue with MySQL, using an index hint (#8211)
• Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users (#8277)
• API streaming of large responses for reducing memory consumption and increasing speed (#8041)

Security

• 💥 Move unsafe autologin to an extension (#7958)
• Fix some CSRFs (#8035)
• Strengthen some crypto (login, tokens, nonces) (#8061, #8320)
• Create separate HTTP Retry-After rules for proxies (#8029, #8218)
• Add data: to CSP in subscription controller (#8253)
• Improve anonymous authentication logic (#8165)
• Enable GitHub release immutability (#8205)

Bug fixing

• Exclude local networks for domain-wide HTTP Retry-After (#8195)
• Fix OpenID Connect with Debian 13 (#8032)
• Fix MySQL / MariaDB bug wrongly sorting new articles (#8223)
• Fix MySQL / MariaDB database size calculation (#8282)
• Fix SQLite bind bug when adding user label (#8101)
• Fix SQL auto-update of field f.kind to ease migrations from FreshRSS versions older than 1.20.0 (#8148)
• Fix search encoding and quoting (#8311, #8324, #8338)
• Fix handling of database unexpected null content (during migrations) (#8319, #8321)
• Fix drag & drop of user query losing information (#8113)
• Fix DOM error while filtering retrieved full content (#8132, #8161)
• Fix config.custom.php during install (#8033)
• Fix do not mark important feeds as read from category (#8067)
• Fix regression of warnings in Web browser console due to lack of window.bcrypt object (#8166)
• Fix chart resize regression due to chart.js v4 update (#8298)
• Fix CLI user creation warning when language is not given (#8283)
• Fix merging of custom HTTP headers (#8251)
• Fix bug in the case of duplicated mark-as-read filters (#8322)

SimplePie

• Fix support of HTTP trailer headers (#7983, simplepie#943)
• Apply HTTPS policy also on GUIDs and permalinks (#8037, simplepie#951)
  • Fix WordPress.com HTTP duplicates with WebSub (Automattic/pushpress#16)
• Implement HTML whitelist for SimplePie sanitizer (#7924, simplepie#947)
• Various upstream contributions (simplepie#940, #944)
• Implement other fixes before PHPStan 2 (simplepie#957)

Deployment

• Docker default image updated to Debian 13 Trixie with PHP 8.4.11 and Apache 2.4.65 (#8032)
• Docker alternative image updated to Alpine 3.23 with PHP 8.4.15 and Apache 2.4.65 (#8285)
• Fix Docker healthcheck cli/health.php compatibility with OpenID Connect (#8040)
• Improve Docker for compatibility with other base images such as Arch Linux (#8299)
  • Improve cli/access-permissions.sh to detect the correct permission Web group such as www-data, apache, or http (#8228)
• Update PostgreSQL volume for Docker (#8216, #8224)
• Catch lack of exec() function for git update (#8228)
• Work around DOMDocument::saveHTML() scrambling charset encoding in some versions of libxml2 (#8296)
• Improve configuration checks for PHP extensions (in Web UI and CLI), including recommending e.g. php-intl (#8334)

UI

• New button for toggling sidebar on desktop view (#8201, #8286)
• Better transitions between groups of articles (#8174)
• New links in transitions and jump ⏭ to next transition (#8294)
• More visible selected article (#8230)
• Show the parsed search query instead of the original user input (#8293, #8306, #8341)
• Show search query in the page title (#8217)
• Scroll into filtered feed/category on page load in the sidebar (#8281, #8307)
• Fix autocomplete issues in change password form (#7812)
• Fix navigating between read feeds using shortcut shift + j / k (#8057)
• Dark background in Web app manifest to avoid white flash when opening (#8140)
• Increase button visibility in UI to change theme (#8149)
• Replace arrow navigation in theme switcher with (#8190)
• Improve scroll of article after load of user labels (#7962)
• Keep scroll state of page when closing the slider (#8295, #8301)
• Display sidebar dropdowns above if no space below (#8335, #8336)
• Use native CSS instead of SCSS (#8200, #8241) (Using CSS nesting and relative colours.)
• Various UI and style improvements (#8171, #8185, #8196)
• JavaScript finalise migration from Promise to async/await (#8182)

API

• API performance optimisation: streaming of large responses (#8041)
• Fever API: Add with_ids parameter to mass-change read/unread/saved/unsaved on lists of articles (#8312)
• Misc API: better REST error semantics (#8232)

Extensions

• Add support for extension priority (#8038)
• Add support for extension compatibility (#8081)
• Improve PHP code with hook enums (#8036)
• New hook nav_entries (#8054)
• Rename Extensions default branch from master to main (#8194)

I18n

• Translation status as text in README (#7842)
• Add new translate CLI commands move (#8214)
• Change some regional language codes to comply with RFC 5646 / IETF BCP 47 / ISO 3166 / ISO 639-1 (#8065)
• Improve German (#8028)
• Improve Greek (#8146)
• Improve Finnish (#8073, #8092)
• Improve Hungarian (#8244)
• Improve Italian (#8115, #8186)
• Improve Polish (#8134, #8135)
• Improve Russian (#8155, #8197)
• Improve Simplified Chinese (#8308, #8313)

Misc.

• Add code to modify a search expression (#8293)
• Remove Pocket sharing service (#8127, #8128)
• Update to PHPMailer 7.0.1 (#8048, #8180, #8272)
• 💥 Housekeeping of lib_rss.php with potential breaking changes for some extensions (#8193)
• Use native PHP #[Deprecated] (#8325)
• Improve PHP code (#8156, #8203, #8284, #8292, #8297)
• GitHub Actions: --no-progress (#8315)
• Update dev dependencies (#8043, #8044, #8045, #8046, #8047, #8052, #8176, #8177, #8178, #8179, #8210, #8270, #8271, #8273, #8274, #8275, #8276)

Bug fixes and other details omitted for brevity.

Original source

Milestone

This is a major release, just in time for the holidays 🎄

Selected new features

• New sorting and filtering by date of User modified, with corresponding search operator, e.g. userdate:PT1H for the past hour
• New sorting by article length
• New advanced search form
• New overview of dates with most unread articles
• New ability to share feed visibility through API (implemented by e.g. Capy Reader)
• Bonus: Capy Reader is also the first open source Android app to support user labels
• Better transitions UI between groups of articles
• New links in UI for transitions between groups of articles, and jump to next transition
• Docker default image updated to Debian 13 Trixie with PHP 8.4.11
• And much more…

Improved performance 🏎️

• Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users
• Improve SQL speed for some critical requests for large databases
• API performance optimisation thanks to streaming of large responses

Selected bug fixes 🐛

• Fix OpenID Connect with Debian 13
• Fix MySQL / MariaDB bug wrongly sorting new articles
• Fix SQLite bind bug when adding tag

Breaking changes 💥

• Move unsafe autologin to an extension
• Potential breaking changes for some extensions (which have to rename some old functions)

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @andris155, @horvi28, @math-GH, @minna-xD and newcomers @Darkentia, @FollowTheWizard, @GreyChame1eon, @McFev, @jocmp, @larsks, @martinhartmann, @matthew-neavling, @pudymody, @raspo, @scharmach, @scollovati, @stag-enterprises, @vandys, @xtmd, @yzx9.

Full changelog

Features

• New sorting and filtering by date of User modified #7886, #8090,

#8105, #8118, #8130

• Corresponding search operator, e.g. userdate:PT1H for the past hour #8093
• Allows finding articles marked by the local user as read/unread or starred/unstarred at specific dates for e.g. undo action.
• New sorting by article length #8119
• New advanced search form #8103, #8122, #8226
• Add compatibility with PCRE word boundary \b and \B for regex search using PostgreSQL #8141
• More uniform SQL search and PHP search for accents and case-sensitivity (e.g. for automatically marking as read) #8329
• New overview of dates with most unread articles #8089
• Allow marking as read articles older than 1 or 7 days also when sorting by publication date #8163
• New option to show user labels instead of tags in RSS share #8112
• Add new feed visibility (priority) Show in its feed #7972
• New ability to share feed visibility through API (implemented by e.g. Capy Reader) #7583, #8158
• Configurable notification timeout #7942
• OPML export/import of unicity criteria #8243
• Ensure stable IDs (categories, feeds, labels) during export/import #7988
• Add username and timestamp to SQLite export from Web UI #8169
• Add option to apply filter actions to existing articles #7959, #8259
• Support CSS selector ~ subsequent-sibling #8154
• Upstream PR phpgt/CssXPath#231
• Rework saving of configuration files for more reliability in case of e.g. full disk #8220
• Web scraping support date format as milliseconds for Unix epoch #8266
• Allow negative category sort numbers #8330

Performance

• Improve SQL speed for updating cached information #6957, #8207,

#8255, #8254, #8255

• Fix SQL performance issue with MySQL, using an index hint #8211
• Scaling of user statistics in Web UI and CLI, to help instances with 1k+ users #8277
• API streaming of large responses for reducing memory consumption and increasing speed #8041

Security

• 💥 Move unsafe autologin to an extension #7958
• Fix some CSRFs #8035
• Strengthen some crypto (login, tokens, nonces) #8061, #8320
• Create separate HTTP Retry-After rules for proxies #8029, #8218
• Add data: to CSP in subscription controller #8253
• Improve anonymous authentication logic #8165
• Enable GitHub release immutability #8205

Bug fixing

• Exclude local networks for domain-wide HTTP Retry-After #8195
• Fix OpenID Connect with Debian 13 #8032
• Fix MySQL / MariaDB bug wrongly sorting new articles #8223
• Fix MySQL / MariaDB database size calculation #8282
• Fix SQLite bind bug when adding tag #8101
• Fix SQL auto-update of field f.kind to ease migrations from FreshRSS versions older than 1.20.0 #8148
• Fix search encoding and quoting #8311, #8324, #8338
• Fix handling of database unexpected null content (during migrations) #8319, #8321
• Fix drag & drop of user query losing information #8113
• Fix DOM error while filtering retrieved full content #8132, #8161
• Fix config.custom.php during install #8033
• Fix do not mark important feeds as read from category #8067
• Fix regression of warnings in Web browser console due to lack of window.bcrypt object #8166
• Fix chart resize regression due to chart.js v4 update #8298
• Fix CLI user creation warning when language is not given #8283
• Fix merging of custom HTTP headers #8251
• Fix bug in the case of duplicated mark-as-read filters #8322

SimplePie

• Fix support of HTTP trailer headers #7983, simplepie#943
• Apply HTTPS policy also on GUIDs and permalinks #8037, simplepie#951
• Fix WordPress.com HTTP duplicates with WebSub Automattic/pushpress#16
• Implement HTML whitelist for SimplePie sanitizer #7924, simplepie#947
• Various upstream contributions simplepie#940, simplepie#944

Deployment

• Docker default image updated to Debian 13 Trixie with PHP 8.4.11 and Apache 2.4.65 #8032
• Docker alternative image updated to Alpine 3.23 with PHP 8.4.15 and Apache 2.4.65 #8285
• Fix Docker healthcheck cli/health.php compatibility with OpenID Connect #8040
• Improve Docker for compatibility with other base images such as Arch Linux #8299
• Improve cli/access-permissions.sh to detect the correct permission Web group such as www-data, apache, or http
• Update PostgreSQL volume for Docker #8216, #8224
• Catch lack of exec() function for git update #8228
• Work around DOMDocument::saveHTML() scrambling charset encoding in some versions of libxml2 #8296
• Improve configuration checks for PHP extensions (in Web UI and CLI), including recommending e.g. php-intl #8334

UI

• New button for toggling sidebar on desktop view #8201, #8286
• Better transitions between groups of articles #8174
• New links in transitions and jump to next transition #8294
• More visible selected article #8230
• Show the parsed search query instead of the original user input #8293,

#8306, #8341

• Show search query in the page title #8217
• Scroll into filtered feed/category on page load in the sidebar #8281, #8307
• Fix autocomplete issues in change password form #7812
• Fix navigating between read feeds using shortcut shift+j/k #8057
• Dark background in Web app manifest to avoid white flash when opening #8140
• Increase button visibility in UI to change theme #8149
• Replace arrow navigation in theme switcher with <select> #8190
• Improve scroll of article after load of user labels #7962
• Keep scroll state of page when closing the slider #8295, #8301
• Scroll into filtered feed/category on page load #8281
• Display sidebar dropdowns above if no space below #8335, #8336
• Use native CSS instead of SCSS #8200, #8241
• Using CSS nesting and relative colours.
• Various UI and style improvements: #8171, #8185, #8196
• JavaScript finalise migration from Promise to async/await: #8182

API

• API performance optimisation: streaming of large responses #8041
• Fever API: Add with_ids parameter to mass-change read/unread/saved/unsaved on lists of articles #8312
• Misc API: better REST error semantics #8232

Extensions

• Add support for extension priority #8038
• Add support for extension compatibility #8081
• Improve PHP code with hook enums #8036
• New hook nav_entries #8054
• Rename Extensions default branch from master to main #8194

I18n

• Translation status as text in README #7842
• Add new translate CLI commands move #8214
• Change some regional language codes to comply with RFC 5646 / IETF BCP 47 / ISO 3166 / ISO 639-1 #8065
• Improve German #8028
• Improve Greek #8146
• Improve Finnish #8073, #8092
• Improve Hungarian #8244
• Improve Italian #8115, #8186
• Improve Polish #8134, #8135
• Improve Russian #8155, #8197
• Improve Simplified Chinese #8308, #8313

Misc.

• Add code to modify a search expression #8293
• Remove Pocket sharing service #8127, #8128
• Update to PHPMailer 7.0.1 #8048, #8180, #8272
• 💥 Housekeeping of lib_rss.php with potential breaking changes for some extensions #8193,
• Use native PHP #[Deprecated] #8325
• Improve PHP code #8156, #8203, #8284,

#8292, #8297

• GitHub Actions: --no-progress #8315
• Update dev dependencies #8043, #8044,

#8045, #8046, #8047,
#8052, #8176, #8177,
#8178, #8179, #8210,
#8270, #8271, #8273,
#8274, #8275, #8276

Original source

Features

• Automatic database recovery: skip broken entries during CLI export/import (#7949)
• Add security option for CSP frame-ancestors (#7857, #8021)
• Lazy-load (#7997)

Security

• Regenerate session ID on login (#7829)
• Disallow setting non-existent language (#7878, #7934)
• Safer calling of install.php (#7971)
• Prevent log CR/LF injection (#7883)
• Restrict allowed cURL parameters (#7979, #8009)
• Fix reauthentication while updating (#7989)
• Fix some CSRFs (#8000)

Bug fixing

• Include port number for HTTP Retry-After (#7875)
• Fix logic for searching labels (#7863)
• Fix cURL response parsing for HTTP redirections (#7866)
• Fix fetching OPML URL with special characters (#7843)
• Fix validation when creating a new user label (#7890)
• Fix bug in user self-deletion (#7877)
• Fix displaying of current date in main statistics (#7892)
• Fix default values on stat processing (#7891)
• Fix UI JavaScript error when navigating to last article with keyboard (#7957)
• Fix some links in anonymous mode (#8011, #8012)
• Fixes for no-cache.txt (#7907)
• Fix Docker Traefik .yml and SERVER_DNS example (#7858)

SimplePie

• Upstream contribution: Normalize encoding uppercase (simplepie#936, #7967)
• Sync upstream, including bump to 1.9.0 with better PHP 8.5+ support (#7955)

Deployment

• Docker improve CMD compatibility (#7861)
• Add possibility of Docker healthcheck (#7945)

UI

• Keep sort and order after marking as read (#7974)
• Improve leave validation (#7830)
• Improve Origine theme visibility of toggle buttons (#7956)
• Improve Dark pink theme (#8020)
• Improve Mapco and Ansum themes: read all button in mobile view (#7873)
• Improve Swage theme (#7608)
• Use standard CSS overflow-wrap instead of word-wrap (#7898)
• Various UI and style improvements (#7868, #7872, #7882, #7893, #7904, #7952)

I18n

• Clarify the concepts of visibility hidden vs. archived in feeds settings (#7970)
• Translate the API information page (#7922)
• Add a default language constant (#7933)
• Label config delete label (#7871)
• Add Ukrainian (#7961)
• Improve Dutch (#7940)
• Improve German (#7833)
• Improve Hungarian (#7986)
• Improve Japanese (#7903, #7918)
• Improve Polish (#7963)
• Improve Simplified Chinese (#8308, #8313)

Extensions

• Add entry_before_update and entry_before_add hooks for extensions (#7977)

Misc.

• Improve make (#7901)
• Improve PHP code (#7906, #7916, #7939, #7941, #7960, #7991)
• Upgrade to PHP_CodeSniffer 4 (#7993)
• Update dev dependencies (#7902, #7895, #7896, #7899, #7966, #7969)

Original source

Milestone

This is a security-fix and bug-fix release for FreshRSS 1.27.x.

A few highlights ✨:

• Keep sort and order criteria after marking as read
• Automatic database recovery: skip broken entries during CLI export/import
• Add possibility of Docker healthcheck
• Add security option for CSP frame-ancestors
• Several security fixes
• Several bug fixes
• New translation to Ukrainian
• Improvements of some themes
• And much more…

This release has been made by @Alkarex, @Frenzie, @Inverle, @aledeg, @math-GH and newcomers @beerisgood, @nykula, @horvi28, @nhirokinet, @rnkln, @scmaybee.

Full changelog

Features

• Automatic database recovery: skip broken entries during CLI export/import #7949
• Add security option for CSP frame-ancestors #7857, #8021
• Lazy-load <track src> #7997

Security

• Regenerate session ID on login #7829
• Disallow setting non-existent language #7878, #7934
• Safer calling of install.php #7971
• Prevent log CR/LF injection #7883
• Restrict allowed cURL parameters #7979, #8009
• Fix reauthentication while updating #7989
• Fix some CSRFs #8000

Bug fixing

• Include port number for HTTP Retry-After #7875
• Fix logic for searching labels #7863
• Fix cURL response parsing for HTTP redirections #7866
• Fix fetching OPML URL with special characters #7843
• Fix validation when creating a new user label #7890
• Fix bug in user self-deletion #7877
• Fix displaying of current date in main statistics #7892
• Fix default values on stat processing #7891
• Fix UI JavaScript error when navigating to last article with keyboard #7957
• Fix some links in anonymous mode #8011, #8012
• Fixes for no-cache.txt #7907
• Fix Docker Traefik .yml and SERVER_DNS example #7858

SimplePie

• Upstream contribution: Normalize encoding uppercase simplepie#936, #7967
• Sync upstream, including bump to 1.9.0 with better PHP 8.5+ support #7955

Deployment

• Docker improve CMD compatibility #7861
• Add possibility of Docker healthcheck #7945

UI

• Keep sort and order after marking as read #7974
• Improve leave validation #7830
• Improve Origine theme visibility of toggle buttons #7956
• Improve Dark pink theme #8020
• Improve Mapco and Ansum themes: read all button in mobile view #7873
• Improve Swage theme #7608
• Use standard CSS overflow-wrap instead of word-wrap #7898
• Various UI and style improvements: #7868, #7872,

#7882, #7893, #7904,
#7952

I18n

• Clarify the concepts of visibility hidden vs. archived in feeds settings #7970
• Translate the API information page #7922
• Add a default language constant #7933
• Label config delete label #7871
• Add Ukrainian #7961
• Improve Dutch #7940
• Improve German #7833
• Improve Hungarian #7986
• Improve Japanese #7903, #7918
• Improve Polish #7963
• Improve Simplified Chinese #7943, #7944
• Minor improvements #7881
• Add CLI command to add i18n file #7917
• Add make target to generate the translation progress #7905

Extensions

• Add entry_before_update and entry_before_add hooks for extensions #7977

Misc.

• Improve make #7901
• Improve PHP code #7906, #7916, #7939,

#7941, #7960, #7991

• Upgrade to PHP_CodeSniffer 4 #7993
• Update dev dependencies #7902, #7895, #7896,

#7899, #7966, #7969

Original source

Features

• Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After (#7760)
• Add sort by category title, or by feed title (#7702)
• Add search operator c: for categories like c:23,34 or !c:45,56 (#7696)
• Custom feed favicons (#7646, #7704, #7717, #7792)
• Rework fetch favicons for fewer HTTP requests (#7767)
• Add more unicity criteria based on title and/or content (#7789)
• Automatically restore user configuration from backup (#7682)
• API add support for states in s parameter of streamId (#7695)
• Improve sharing via Print (#7728)
• Redirect to the login page from bookmarklet instead of 403 (#7782)
• Clean local cache more often, when refreshing feeds (#7827)

Security

• Implement reauthentication (sudo mode) (#7753)
• Add Content-Security-Policy: frame-ancestors (#7677)
• Ensure CSP everywhere (#7810)
• Show warning when unsafe CSP policy is in use (#7804)
• Fix access rights when creating a new user (#7783)
• Improve security of form for user details (#7771, #7786)
• Disallow setting non-existent theme (#7722)
• Regenerate cookie ID after logging out (#7762)
• Require current password when setting new password (#7763)
• Add missing access checks for feed-related actions (#7768)
• Strip more unsafe attributes such as referrerpolicy, ping (#7770)
• Remove unneeded execution permissions (#7802)

Bug fixing

• Fix redirections when scraping from HTML (#7654, #7741)
• Fix multiple authentication HTTP headers (#7703)
• Fix HTML queries with a single feed (#7730)
• WebSub: only perform a redirection when coming from WebSub (#7738)
• Include enclosures in entries’ hash (#7719)
  ■ Negative side-effect: users of the option to automatically mark updated articles as unread will once have some articles with enclosures re-appear as unread
• Fix cancellation of slider exit UI (#7705)
• Honor disable update on update page (#7733)
• Fix no registration limit setting (#7751)
• Fix XML encoding of sharing functions (#7822)

SimplePie

• Fix propagation of HTTP error codes (#7670)
• Fix support for XML feeds with HTML entities (#7689, simplepie#915)
• Fix feeds encoded in UTF-16LE (#7691, simplepie#916)
• Various upstream contributions (simplepie#917, #924, #926, #932, #933)
• Fix regex Backtrack limit was exhausted in clean_hash() (#7813, FreshRSS/simplepie#48)

Deployment

• Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 (#7805)
• Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 (#7740)
• Start supporting PHP 8.5+ (#7787, #7826)
  ■ Docker Alpine dev image :newest updated to PHP 8.5-alpha and Apache 2.4.65 (#7773)
• Docker: interpolate FRESHRSS_INSTALL and FRESHRSS_USER variables (#7725)
• Docker: Reduce how much data needs to be chown/chmod’ed on container startup (#7793)
• Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) (#7651)

Extensions

• Add API endpoint for extensions (#7576)
• Expose the reading modes for extensions (#7668, #7688)
• New extension hook before_login_btn (#7761)

UI

• Improve mark as read request showing popup due to onbeforeunload (#7554)
• Fix lazy-loading for and (#7636)
• Avoid styling inside of

   (#7797)

• Improve confirmation logic with data-auto-leave-validation (#7785)
• Update chart.js to 4.5.0 (#7752, #7816)
• Various UI and style improvements (#7616, #7811)
• Improve scroll state, transitions, shortcuts, themes, and other UI items (multiple fixes)

I18n

• Show translation status in README (#7715)
• Improve Indonesian (#7654, #7721)
• Improve Persian (#7795)

Misc.

• Improve PHP code (#7642, #7665, #7761, #7781, #7794)
• Update dev dependencies (#7708, #7709, #7710, #7711, #7776, #7777)

Original source

Milestone

A few highlights ✨:

• Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After
• Add sort by category title, or by feed title
• Add search operator c: for categories like c:23,34 or !c:45,56
• Custom feed favicons
• Several security improvements, such as:
  • Implement reauthentication (sudo mode)
  • Add Content-Security-Policy: frame-ancestors
  • Ensure CSP everywhere
  • Fix access rights when creating a new user
• Several bug fixes, such as:
  • Fix redirections when scraping from HTML
  • Fix feed redirection when coming from WebSub
  • Fix support for XML feeds with HTML entities, or encoded in UTF-16LE
• Docker alternative image updated to Alpine 3.22 with PHP 8.4 (PHP 8.4 for default Debian image coming soon)
• Start supporting PHP 8.5+
• And much more…
  This release has been made by @Alkarex, @Inverle, @the7thNightmare and newcomers @Deioces120, @Fraetor, @Tarow, @dotsam, @hilariousperson, @pR0Ps, @triatic, @tryallthethings

Full changelog:

Features

• Implement support for HTTP 429 Too Many Requests and 503 Service Unavailable, obey Retry-After #7760
• Add sort by category title, or by feed title #7702
• Add search operator c: for categories like c:23,34 or !c:45,56 #7696
• Custom feed favicons #7646, #7704, #7717,

#7792

• Rework fetch favicons for fewer HTTP requests #7767
• Add more unicity criteria based on title and/or content #7789
• Automatically restore user configuration from backup #7682
• API add support for states in s parameter of streamId #7695
• Improve sharing via Print #7728
• Redirect to the login page from bookmarklet instead of 403 #7782
• Clean local cache more often, when refreshing feeds #7827

Security

• Implement reauthentication (sudo mode) #7753
• Add Content-Security-Policy: frame-ancestors #7677
• Ensure CSP everywhere #7810
• Show warning when unsafe CSP policy is in use #7804
• Fix access rights when creating a new user #7783
• Improve security of form for user details #7771, #7786
• Disallow setting non-existent theme #7722
• Regenerate cookie ID after logging out #7762
• Require current password when setting new password #7763
• Add missing access checks for feed-related actions #7768
• Strip more unsafe attributes such as referrerpolicy, ping #7770
• Remove unneeded execution permissions #7802

Bug fixing

• Fix redirections when scraping from HTML #7654, #7741
• Fix multiple authentication HTTP headers #7703
• Fix HTML queries with a single feed #7730
• WebSub: only perform a redirection when coming from WebSub #7738
• Include enclosures in entries’ hash #7719
• Negative side-effect: users of the option to automatically mark updated articles as unread will once have some articles with enclosures re-appear as unread
• Fix cancellation of slider exit UI #7705
• Honor disable update on update page #7733
• Fix no registration limit setting #7751
• Fix XML encoding of sharing functions #7822

SimplePie

• Fix propagation of HTTP error codes #7670
• Fix support for XML feeds with HTML entities #7689, simplepie#915
• Fix feeds encoded in UTF-16LE #7691, simplepie#916
• Various upstream contributions simplepie#917, simplepie#924,
  simplepie#926, simplepie#932, simplepie#933
• Sync upstream #7706, FreshRSS/simplepie#45, #7775,
  FreshRSS/simplepie#50, #7824, #7825,
• Fix regex Backtrack limit was exhausted in clean_hash() #7813, FreshRSS/simplepie#48

Deployment

• Docker default image (Debian 12 Bookworm) updated to PHP 8.2.29 #7805
• Docker alternative image updated to Alpine 3.22 with PHP 8.4.11 and Apache 2.4.65 #7740, #7740,

#7803

• Start supporting PHP 8.5+ #7787, #7826
• Docker Alpine dev image :newest updated to PHP 8.5-alpha and Apache 2.4.65 #7773
• Docker: interpolate FRESHRSS_INSTALL and FRESHRSS_USER variables #7725
• Docker: Reduce how much data needs to be chown/chmod’ed on container startup #7793
• Test for database PDO typing support during install (relevant for MySQL / MariaDB with obsolete driver) #7651

Extensions

• Add API endpoint for extensions #7576
• Expose the reading modes for extensions #7668, #7688
• New extension hook before_login_btn #7761

UI

• Improve mark as read request showing popup due to onbeforeunload #7554
• Fix lazy-loading for and #7636
• Avoid styling inside of

   #7797

• Improve confirmation logic with data-auto-leave-validation #7785
• Update chart.js to 4.5.0 #7752, #7816
• Various UI and style improvements: #7616, #7811

I18n

• Show translation status in README #7715
• Improve Indonesian #7654, #7721
• Improve Persian #7795

Misc.

• Improve PHP code #7642, #7665, #7761,

#7781, #7794

• Update dev dependencies #7708, #7709, #7710,

#7711, #7776, #7777

Original source

Features

• Keep sort and order criteria during navigation (#7585)
• Add info about PDO::ATTR_CLIENT_VERSION (relevant for MySQL / MariaDB with obsolete driver) (#7591)

Bug fixing

• Fix SQL request for user labels with custom sort (affecting PostgreSQL) (#7588)
• Fix regression for favicon in GReader and Fever APIs (#7573)
• Fix newest articles (within last second) not shown (#7577)
• Fix duplicate HTTP header for POST (#7556)
• Fix important articles on reader view (#7602)
• Fix remove last share method (#7613)
• Fix API handling of default category (#7610)
• Fix user self-deletion (#7626)
• Move PHP minimum version check (#7560)

Security

• Fix encoding of themes (#7565)
• Fix .htaccess.dist for access to /scripts/vendor/ (#7598)

SimplePie

• Strip more HTML deprecated styles attributes: bgcolor, text, background, link, alink, vlink (#7606)

UI

• Implement loading spinner for marking as favourite/read (#7564)
• Provide theme class for CSS (#7559)

Deployment

• Use HTTP Cache-Control: immutable for some files (#7552)
• Drop Apache 2.2 (only support Apache 2.4+) (#7561)

I18n

• Improve Indonesian (#7622)
• Improve Polish (#7587)

Misc.

• Update to PHPMailer 6.10.0 (#7542)
• Update dev dependencies (#7630, #7631, #7632, #7633, #7634, #7635)

Original source

Milestone

This is a bug-fix release for FreshRSS 1.26.x

A few highlights ✨:

• Keep sort and order criteria during navigation
• Implement loading spinner for marking as favourite/read
• Many bug fixes

This release has been made by @Alkarex, @Inverle and newcomers @CarelessCaution, @the7thNightmare

Full changelog:

Features

• Keep sort and order criteria during navigation #7585
• Add info about PDO::ATTR_CLIENT_VERSION (relevant for MySQL / MariaDB with obsolete driver) #7591

Bug fixing

• Fix SQL request for user labels with custom sort (affecting PostgreSQL) #7588
• Fix regression for favicon in GReader and Fever APIs #7573
• Fix newest articles (within last second) not shown #7577
• Fix duplicate HTTP header for POST #7556
• Fix important articles on reader view #7602
• Fix remove last share method #7613
• Fix API handling of default category #7610
• Fix user self-deletion #7626
• Move PHP minimum version check #7560

Security

• Fix encoding of themes #7565
• Fix .htaccess.dist for access to /scripts/vendor/ #7598

SimplePie

• Strip more HTML deprecated styles attributes: bgcolor, text, background, link, alink, vlink #7606

UI

• Implement loading spinner for marking as favourite/read #7564
• Provide theme class for CSS #7559

Deployment

• Use HTTP Cache-Control: immutable for some files #7552
• Drop Apache 2.2 (only support Apache 2.4+) #7561

I18n

• Improve Indonesian #7622
• Improve Polish #7587

Misc.

• Update to PHPMailer 6.10.0 #7542
• Update dev dependencies #7630, #7631, #7632
• #7633, #7634, #7635

Original source

Features

• Implement JSON string concatenation with & operator (#7414)
• Support multiple JSON fragments in HTML+XPath+JSON mode (#7369)

Bug fixing

• Fix escaping of tag search (#7468)
• Fix CLI parsing of Boolean flags (#7430)
• Fix API for labels with slash (#7437)

SimplePie

• Fix support for feeds with XML preamble + DTD (#7515, simplepie#914)
• Merged upstream (#7434) (Upstream fix simplepie#912)

Security

• Disallow (#7494, CVE-2025-32015)
• Disallow (#7506)
• Improve favicons hash to avoid favicon pollution (#7505, CVE-2025-46339)
• Add Content-Security-Policy HTTP headers to favicons (#7471, CVE-2025-31136)
• Web scraping forbid security HTTP headers in cURL (#7496, CVE-2025-46341)
• Add some HTTP headers Referrer-Policy: same-origin (#6303, #7478)
• Use HTTP POST for logout (#7489, CVE-2025-31482)
• Make update URL read-only (#7477)
• Fix for extensions: Restrict valid paths in ext.php (#7479, CVE-2025-31134)
• Fix for extensions: Secure serving of user files (#7495)

Extensions

• Fix file serving for symlinked extensions (#7545)
• Catch extension exceptions in override (#7475)
• JavaScript: new event to detect context loaded (#7452)

Deployment

• Apache: add check for mod_filter to ensure that AddOutputFilterByType works (#7419)

UI

• Accessibility: Add :focus style to some dropdown menus (#7491)
• New size option for the Mark as read button (#7314)
• Update bcrypt.js from 2.4.4 to 3.0.2 (#7449)
• Various UI and style improvements (#7168, #7526)

I18n

• Rework credits (#7426)
• Improve French (#7432)
• Improve Italian (#7540)
• Improve Polish (#7508)
• Improve Turkish (#7442)

Misc.

• Improve PHP code (#7431, #7488, #7534)
• Update dev dependencies (#7480, #7482, #7483, #7484, #7485, #7486, #7487, #7533, #7535, #7536, #7537, #7538)

Original source

Milestone

This is a security-focussed release for FreshRSS 1.26.x, addressing several CVEs (thanks @Inverle) 🛡

A few highlights ✨:

• Implement JSON string concatenation with & operator
• Support multiple JSON fragments in HTML+XPath+JSON mode (e.g. JSON-LD)
• Multiple security fixes with CVEs

Full changelog

Features

• Implement JSON string concatenation with & operator #7414
• Support multiple JSON fragments in HTML+XPath+JSON mode #7369

Bug fixing

• Fix escaping of tag search #7468
• Fix CLI parsing of Boolean flags #7430
• Fix API for labels with slash #7437

SimplePie

• Fix support for feeds with XML preamble + DTD #7515, simplepie#914
• Merged upstream #7434
• Upstream fix simplepie#912

Security

• Disallow <iframe srcdoc=""> #7494, CVE-2025-32015
• Disallow <button formaction=""> #7506
• Improve favicons hash to avoid favicon pollution #7505, CVE-2025-46339
• Add Content-Security-Policy HTTP headers to favicons #7471, CVE-2025-31136
• Web scraping forbid security HTTP headers in cURL #7496, CVE-2025-46341
• Add some HTTP headers Referrer-Policy: same-origin #6303, #7478
• Use HTTP POST for logout #7489, CVE-2025-31482
• Make update URL read-only #7477
• Fix for extensions: Restrict valid paths in ext.php #7479, CVE-2025-31134
• Fix for extensions: Secure serving of user files #7495

Extensions

• Fix file serving for symlinked extensions #7545
• Catch extension exceptions in override #7475
• JavaScript: new event to detect context loaded #7452

Deployment

• Apache: add check for mod_filter to ensure that AddOutputFilterByType works #7419

UI

• Accessibility: Add :focus style to some dropdown menus #7491
• New size option for the Mark as read button #7314
• Update bcrypt.js from 2.4.4 to 3.0.2 #7449
• Various UI and style improvements: #7168, #7526

I18n

• Rework credits #7426
• Improve French #7432
• Improve Italian #7540
• Improve Polish #7508
• Improve Turkish #7442

Misc.

• Improve PHP code #7431, #7488, #7534
• Update dev dependencies #7480, #7482, #7483,
  #7484, #7485, #7486,
  #7487, #7533, #7535,
  #7536, #7537, #7538

Original source

Features

• Add cURL version to page about system information (#7409)

Bug fixing

• Fix regression with cURL HTTP headers breaking conditional HTTP requests (#7403, FreshRSS/simplepie#33)
• Fix regression with saving states of user queries (#7400)
• Fix regression with dynamic OPML (#7394)
• Fix update of the user’s last activity on login action (#7406)
• Fix setting category option Maximum number of articles to keep per feed (#7416)
• Fix priority field when processing a new feed from an extension (#7354)

Deployment

• Fix regression with 64-bit timestamps on 32-bit platforms (#7375)
• Fix back-compatibility with cURL 7.51 (we require cURL 7.52+ for CURLPROXY_HTTPS) (#7409)

UI

• Use case-insensitive sort for categories (#7402)
• Improve dark mode of Origine theme (#7413)
• Added API password indicator (#7340)

I18n

• Fix (es, fa, sk): do not translate XPath code (#7404)
• Fix date bug in Finish (#7423)
• Add Portuguese from Portugal (#7329)
• Improve Hungarian (#7391)

Misc.

• Improve PHP code (#7339)
• Update dev dependencies (#7386, #7387, #7388)

Original source