Totara Release Notes

Release notes

Hello everyone,

The following versions of Totara have now been released and are available in gitolite:

• Release 20.0.1
• Release 19.1.7
• Release 19.0.13
• Release 18.26
• Release 17.39
• Release 16.45
• Release 15.51
• Release 14.54
• Release 13.62
• Release 12.78
• Release 11.78
• Release 10.79
• Release 9.84

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards

Release Team

Release 20.0.1 (03rd February 2026)

Security issues:

• TL-47408 Fixed handling of formulas in legacy "dataformat" Excel export (CVE-2025-67851)
• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47524 Added new column 'Completion Organisation ID Number' into the course completion report source

Bug fixes:

• TL-44084 Fixed horizontal drag and drop for RTL languages
• TL-44113 Fixed SQL Server report export for program and certification percent column
• TL-45082 Fixed ad-hoc task crash when attempting to delete a course module that no longer exists
• TL-45567 Fixed certification path usage data collection
• TL-46110 Fixed rendering issue with cookie text on the login page when using quotes
• TL-46644 Added an extra check to allow tenant domain manager to view all tenants' profiles
• TL-47074 Added the actual value alongside the display value in the component column of the site log report
• TL-47398 Prevented default filter values from bypassing the initial display restriction
• TL-47504 Fixed 'Disable all notifications' toggle applying to the logged in user, not the user that is currently being edited
• TL-47525 Updated totara_sync minimum record threshold for users to omit deleted users
• TL-47543 Removed the button from the return path in the certification requirements path track
• TL-47573 Fixed select type settings failing to render when default values were lang_string objects
• TL-47598 Fixed deprecation notice in completion_completion::aggregate()
• TL-46287 Fixed program and certification course set default focused field

Technical changes:

• TL-47548 Added step to clear the OpenSSL error queue during unit test teardown to prevent residual errors between tests

Release 19.1.7 (03rd February 2026)

Security issues:

• TL-47408 Fixed handling of formulas in legacy "dataformat" Excel export (CVE-2025-67851)
• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47366 Language strings can now accept stringable objects (like moodle_url()) in the {$a->param} fields
• TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export
• TL-47524 Added new column 'Completion Organisation ID Number' into the course completion report source

Bug fixes:

• TL-40974 Excluded non-course activities from the 'Course Content' filter on the 'Find Courses' embedded report
• TL-42162 Fixed navigation in a performance activity so the user will now be taken to the start of the content on section change
• TL-44084 Fixed horizontal drag and drop for RTL languages
• TL-44113 Fixed SQL Server report export for program and certification percent column
• TL-44187 Fixed the user tour step edit form element to display correctly for the 'Show if target is not found' value
• TL-44423 Fixed errors when an activity module plugin is hidden
• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0
• TL-45082 Fixed ad-hoc task crash when attempting to delete a course module that no longer exists
• TL-45863 Addressed layout issues on user profile job assignments block
• TL-46110 Fixed rendering issue with cookie text on the login page when using quotes
• TL-46356 Addressed issue to preserve existing link types when saving linked courses for competencies
• TL-46644 Added an extra check to allow tenant domain manager to view all tenants' profiles
• TL-47054 Fixed an issue where email links were broken when pasted in Weka editor
• TL-47074 Added the actual value alongside the display value in the component column of the site log report
• TL-47233 Fixed admin form element for webhook enabling
• TL-47236 Fixed graphql totara_program_program_courseset courses property
• TL-47398 Prevented default filter values from bypassing the initial display restriction
• TL-47400 Fixed an invalid debugging message in a unit test
• TL-47414 Fixed a problem when exporting a report via a scheduled report, dynamic columns may or may not appear correctly
• TL-47455 Reverted changes to CSV exports
• TL-47484 Fixed an error when viewing certain events with PHP 8.1
• TL-47504 Fixed 'Disable all notifications' toggle applying to the logged in user, not the user that is currently being edited
• TL-47525 Updated totara_sync minimum record threshold for users to omit deleted users
• TL-46287 Fixed program and certification course set default focused field
• TL-47235 Improved self-enrolment keyboard tabbing sequence for program and certification options

Technical changes:

• TL-47548 Added step to clear the OpenSSL error queue during unit test teardown to prevent residual errors between tests

Library updates:

• TL-47440 Upgraded symfony/http-foundation from 6.4.4 to 6.4.31 (CVE-2025-64500)
• TL-47441 Upgraded robrichards/xmlseclibs from 3.1.1 to 3.1.4 (CVE-2025-66578)

Release 19.0.13 (03rd February 2026)

Security issues:

• TL-47408 Fixed handling of formulas in legacy "dataformat" Excel export (CVE-2025-67851)
• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47366 Language strings can now accept stringable objects (like moodle_url()) in the {$a->param} fields
• TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export
• TL-47524 Added new column 'Completion Organisation ID Number' into the course completion report source

Bug fixes:

• TL-40974 Excluded non-course activities from the 'Course Content' filter on the 'Find Courses' embedded report
• TL-42162 Fixed navigation in a performance activity so the user will now be taken to the start of the content on section change
• TL-44084 Fixed horizontal drag and drop for RTL languages
• TL-44113 Fixed SQL Server report export for program and certification percent column
• TL-44187 Fixed the user tour step edit form element to display correctly for the 'Show if target is not found' value
• TL-44423 Fixed errors when an activity module plugin is hidden
• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0
• TL-45082 Fixed ad-hoc task crash when attempting to delete a course module that no longer exists
• TL-45863 Addressed layout issues on user profile job assignments block
• TL-46110 Fixed rendering issue with cookie text on the login page when using quotes
• TL-46356 Addressed issue to preserve existing link types when saving linked courses for competencies
• TL-46644 Added an extra check to allow tenant domain manager to view all tenants' profiles
• TL-47054 Fixed an issue where email links were broken when pasted in Weka editor
• TL-47074 Added the actual value alongside the display value in the component column of the site log report
• TL-47236 Fixed graphql totara_program_program_courseset courses property
• TL-47398 Prevented default filter values from bypassing the initial display restriction
• TL-47400 Fixed an invalid debugging message in a unit test
• TL-47414 Fixed a problem when exporting a report via a scheduled report, dynamic columns may or may not appear correctly
• TL-47455 Reverted changes to CSV exports
• TL-47484 Fixed an error when viewing certain events with PHP 8.1
• TL-47504 Fixed 'Disable all notifications' toggle applying to the logged in user, not the user that is currently being edited
• TL-47525 Updated totara_sync minimum record threshold for users to omit deleted users
• TL-46287 Fixed program and certification course set default focused field
• TL-47235 Improved self-enrolment keyboard tabbing sequence for program and certification options

Technical changes:

• TL-47548 Added step to clear the OpenSSL error queue during unit test teardown to prevent residual errors between tests

Library updates:

• TL-47440 Upgraded symfony/http-foundation from 6.4.4 to 6.4.31 (CVE-2025-64500)
• TL-47441 Upgraded robrichards/xmlseclibs from 3.1.1 to 3.1.4 (CVE-2025-66578)

Release 18.26 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47366 Language strings can now accept stringable objects (like moodle_url()) in the {$a->param} fields
• TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export

Bug fixes:

• TL-40974 Excluded non-course activities from the 'Course Content' filter on the 'Find Courses' embedded report
• TL-42162 Fixed navigation in a performance activity so the user will now be taken to the start of the content on section change
• TL-44084 Fixed horizontal drag and drop for RTL languages
• TL-44113 Fixed SQL Server report export for program and certification percent column
• TL-44423 Fixed errors when an activity module plugin is hidden
• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0
• TL-45082 Fixed ad-hoc task crash when attempting to delete a course module that no longer exists
• TL-45863 Addressed layout issues on user profile job assignments block
• TL-46110 Fixed rendering issue with cookie text on the login page when using quotes
• TL-46356 Addressed issue to preserve existing link types when saving linked courses for competencies
• TL-47054 Fixed an issue where email links were broken when pasted in Weka editor
• TL-47074 Added the actual value alongside the display value in the component column of the site log report
• TL-47236 Fixed graphql totara_program_program_courseset courses property
• TL-47398 Prevented default filter values from bypassing the initial display restriction
• TL-47400 Fixed an invalid debugging message in a unit test
• TL-47414 Fixed a problem when exporting a report via a scheduled report, dynamic columns may or may not appear correctly
• TL-47455 Reverted changes to CSV exports
• TL-47484 Fixed an error when viewing certain events with PHP 8.1
• TL-47504 Fixed 'Disable all notifications' toggle applying to the logged in user, not the user that is currently being edited
• TL-46287 Fixed program and certification course set default focused field
• TL-47440 Upgraded symfony/http-foundation from 5.4.23 to 5.4.50 (CVE-2025-64500)
• TL-47441 Upgraded robrichards/xmlseclibs from 3.1.1 to 3.1.4 (CVE-2025-66578)

Release 17.39 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export

Bug fixes:

• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0
• TL-47484 Fixed an error when viewing certain events with PHP 8.1

Release 16.45 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Improvements:

• TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export

Bug fixes:

• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0

Release 15.51 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Bug fixes:

• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0

Release 14.54 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Bug fixes:

• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0

Release 13.62 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Bug fixes:

• TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0

Release 12.78 (03rd February 2026)

Security issues:

• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Release 11.78 (03rd February 2026)

Security issues:

• TL-47404 Adding extra sanitisation to URL param cleaning to cover possible XSS situation (CVE-2025-67855)
• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Release 10.79 (03rd February 2026)

Security issues:

• TL-47404 Adding extra sanitisation to URL param cleaning to cover possible XSS situation (CVE-2025-67855)
• TL-47411 Fixed suspended user access via LTI (CVE-2025-67848)

Release 9.84 (03rd February 2026)

Security issues:

• TL-47404 Adding extra sanitisation to URL param cleaning to cover possible XSS situation (CVE-2025-67855)

Original source Report a problem

Totara Version 20 boosts compliance with flexible multi-year recertification pathways, functionality to identify and close skill gaps, improved content discovery for learners and streamlined admin workflows.

London, January 27, 2026 – Totara has announced the release of Version 20 of its platform, introducing features that support complex compliance needs, close skills gaps, improve content discovery and time-saving enhancements to core workflows.

New recertifications & improved reporting to boost compliance rates

Totara Version 20 introduces new workflows that allow for flexible recertification paths to be created. This makes it easier to create targeted certification renewal paths once a certification has expired, allowing organisations to efficiently maintain compliance over time. New reporting blocks make it easier for leaders to get instant insights into organisation and certification compliance statuses, encouraging quicker remedial action while supporting an ‘audit-ready’ focus.

Enhanced Skills functionality that helps identify and close gaps

Totara Perform, Totara’s skill development and performance management product that supplements its core LMS, includes updates that help leaders identify, report on, and close skill gaps:

• The Team Skill Proficiency report block provides managers and line managers with a clear view of their team’s current skill levels.
• Skill rating by audience enables flexible on-the-job assessments of skills to be made by audiences and roles of your choice (e.g. field specialists and practitioners)
• New audience type of ‘skill proficiency’ enables smarter enrolments and targeted next-step learning, as well as increased reporting options.

Workflow enhancements that boost the learner experience and streamline administration

Totara Version 20 includes four AI-Powered plugins that help streamline content creation (text and image creation assistants), drive engagement on social learning resources (AI-powered informal quizzes), and help set SMART goals to aid personal development. Improved content discovery and search options make it easier for learners to discover relevant learning via dashboards and catalogues, while learners can now self-enrol to programs and certifications. Site administrators benefit from a number of UX and UI improvements that support efficient audience management, digitise seminar attendance records, and free up admin time on everyday tasks, such as new ‘background’ exports on large-scale reports.

Dave Cruickshank, Chief Executive Officer of Totara Learning Group, commented: “This release focuses on fine-tuning Totara’s capabilities to drive meaningful impact for our Totara community. We’re introducing powerful enhancements to boost compliance, close skill gaps, and embracing AI to improve the learner experience. We’ve also listened closely to user feedback, streamlining core workflows to free up L&D’s time so they can do what they do best, and focus on offering a compelling and effective learner experience”

“Maintaining compliance year-on-year is a challenge that complicates when L&D scales with thousands of learners with highly bespoke individual needs. Totara’s new recertification and reporting options meet these needs head on, offering efficiency gains that support leaders in highly regulated industries”

About Totara

Totara is a global leader in learning management technologies, supporting over 1,500 customers and 21 million users worldwide. Its flagship product, Totara Learn, is a customisable LMS that’s trusted to deliver mission-critical learning for multinational corporations, government agencies, and mid-sized enterprises. Totara serves the UK Government and Healthcare sectors and the US public sector, with TotaraGov offering a FedRAMP® Authorized LMS purpose-built for government training. Totara also operates through a global network of 75+ partners who provide implementation, customisation, and support across a variety of industries. With offices in the UK, US, and New Zealand, Totara’s 200+ team members continue to deliver reliable, mission-critical compliance and learning worldwide.

Original source Report a problem

Totara Mobile App Changelog

Release 3.2.0 (28 Jan 2026)

Task

• [MOB-1585]: Upgrade the app to Expo SDK 54
• [MOB-1410]: Syncing Preferences
• [MOB-1409]: Automatic Progress Sync When Back Online
• [MOB-1535]: Wi-Fi Only Sync
• [MOB-1568]: Add helper text under "Sync over Wi-Fi only" in Syncing Options screen
• [MOB-1570]: Align sync & waiting icon behaviour (manual vs auto sync)
• [MOB-1574]: Sync settings apply immediately to all pending progress
• [MOB-1575]: Sync pending toast appears on URL and login screens after session expiry
• [MOB-1567]: Migrate pipeline from Jenkins to Github Actions

Improvement

• [MOB-1342]: Fix dependency versions for nanoid and brace-expansion
• [MOB-1491]: Fix dependency versions for nanoid and brace-expansion
• [MOB-1458]: Update Firebase dependency
• [MOB-1460]: Update Firebase dependency
• [MOB-1545]: Tech Debt - Remove Unused Legacy Code
• [MOB-1543]: Tech Debt - Legacy SCORM & Caching
• [MOB-1602]: Clean up unused dependencies
• [MOB-1546]: Maestro Tests Improvements
• [MOB-1542]: Tech Debt - Webviews Cleanup
• [MOB-1603]: Fix lint check + re-enable in CI
• [MOB-1464]: SCORM player doesn't respect Display attempt status setting on activity
• [MOB-1576]: UX improvements
• [MOB-1605]: Totara logo is cut off on Android app icon

Bug

• [MOB-1549]: Topic summaries not being displayed, Fix image rendering in weka content
• [MOB-1474]: False offline status shown in locked-down network environments
• [MOB-1577]: "View all" button not functioning when using AND rule between course sets
• [MOB-1469]: Mobile friendly content in activity description not mobile app friendly
• [HD-27742]: Fix issue where total attempts for SCORM were not updated correctly after an attempt was completed
• [MOB-1479]: Current learning page heading translation issue
• [MOB-1534]: SCORM completion status not updated on Downloads page after syncing
• [MOB-1616]: Find Learning cards show blue background behind default images
• [MOB-1617]: Bottom action buttons are obscured by system navigation on Android (filters & download cancel)

Upgraded dependencies

• @dr.pogodin/react-native-fs: ^2.30.3 -> 2.36.1
• @dr.pogodin/react-native-static-server: ^0.18.0 -> 0.25.3
• @expo/vector-icons: ^14.0.2 -> ^15.0.3
• @notifee/react-native: ^7.8.2 -> 9.1.8
• @react-native-async-storage/async-storage: ^1.23.1 -> 2.2.0
• @react-native-firebase/app: ^20.1.0 -> ^23.5.0
• @react-native-firebase/messaging: ^20.1.0 -> ^23.5.0
• @sentry/react-native: ~6.10.0 -> ~7.2.0
• expo: ~52.0.47 -> ~54.0.25
• expo-asset: ~11.0.2 -> ~12.0.10
• expo-build-properties: ~0.13.3 -> ~1.0.9
• expo-dev-client: ~5.0.20 -> ~6.0.18
• expo-font: ~13.0.3 -> ~14.0.9
• expo-image: ~2.0.7 -> ~3.0.10
• expo-screen-orientation: ~8.0.4 -> ~9.0.7
• expo-splash-screen: ~0.29.24 -> ~31.0.11
• expo-system-ui: ~4.0.9 -> ^6.0.9
• react: 18.3.1 -> 19.1.0
• react-dom: 18.3.1 -> 19.1.0
• react-native: 0.76.9 -> 0.81.5
• react-native-gesture-handler: ~2.20.2 -> ~2.28.0
• react-native-mmkv: ^2.12.2 -> ^4.0.0
• react-native-reanimated: ~3.16.7 -> ~4.1.5
• react-native-safe-area-context: 4.12.0 -> ~5.6.0
• react-native-screens: ~4.4.0 -> ~4.16.0
• react-native-svg: 15.8.0 -> 15.12.1
• react-native-webview: 13.10.4 -> 13.15.0
• @types/react: ~18.3.12 -> ~19.1.10
• @typescript-eslint/eslint-plugin: ^7.16.0 -> ^8.40.0
• eslint: ^8.57.0 -> ^9.34.0
• eslint-plugin-prettier: ^5.1.3 -> ^5.5.4
• eslint-plugin-react-hooks: ^4.6.2 -> ^5.2.0
• jest-expo: ~52.0.6 -> ~54.0.13
• react-test-renderer: 18.2.0 -> 19.1.0
• typescript: ~5.3.3 -> ~5.9.2
• typescript-eslint: ^7.16.0 -> ^8.40.0

New dependencies

• expo-secure-store: 15.0.7
• patch-package: 8.0.1
• react-native-nitro-modules: ^0.31.9
• react-native-worklets: 0.5.1
• @typescript-eslint/parser: ^8.40.0
• jiti: ^2.5.1
• prettier: ^3.7.4

Removed dependencies

• app-icon-badge: ^0.0.15
• date-fns: ^3.6.0
• expo-constants: ~17.0.5
• expo-file-system: ~18.0.12
• expo-linking: ~7.0.5
• expo-status-bar: ~2.0.1
• expo-web-browser: ~14.0.2
• filesize: ^10.1.6
• react-native-sensitive-info
• react-native-web: ~0.19.13
• react-native-windows: ^0.77.1
• redux-persist-sensitive-storage: ^1.0.0
• @apollo/server: ^4.11.0
• @graphql-tools/schema: ^10.0.7
• cors: ^2.8.5
• eslint-plugin-react: ^7.34.3
• eslint-plugin-unicorn: ^54.0.0
• express: ^4.19.2
• get-graphql-schema: ^2.1.2
• npm-run-all: ^4.1.5
• waait: ^1.0.5

Kind regards,
Fei Gao

Original source Report a problem

Hello Everyone,
I am pleased to announce that the Totara Suite 20.0.0 release is now available.
A summary of the new features and improvements included in this release will soon be available in the What's new page on the Totara help site.
For detailed change-management information, please see the Technical Release Notes below.
A big thank you as well to everyone who has contributed to this release!
Contributions:
• Petter Fogelqvist at Aleido - TL-47127 - Petter Fogelqvist at Aleido
• Andrew Mansfield at Coretxa - TL-43805 - Andrew Mansfield at Coretxa
• Androgogic - TL-46861 - Androgogic
• Catalyst IT - TL-44414 - Catalyst IT
• Dan Marsden at Catalyst - TL-43795 - Dan Marsden at Catalyst
• Davo Smith - Synergy Learning - TL-45319 - Davo Smith - Synergy Learning
• Michael Geering at Think Learning - TL-42693, TL-42783 - Michael Geering at Think Learning
• Petter Fogelqvist at Aleido - TL-43481 - Petter Fogelqvist at Aleido
• Sasha Anastasi at Catalyst - TL-44716 - Sasha Anastasi at Catalyst
• Steven Hughes at Think Learning - TL-41289 - Steven Hughes at Think Learning
Release 20.0.0 (27th January 2026)
Important:
TL-36438 The MongoDB cache store plugin has been deprecated and removed
TL-39437 Improved media plugin detection of links
TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks
TL-43428 Updated the list of countries in lang/en/countries.php as per ISO 3166-1
TL-43538 The custom script override functionality has changed, scripts are now included after the config has finished loading
TL-44293 Added check for empty keys array to redis and memcached implementation of delete_many
TL-45458 Libraries have moved from the libraries/required and libraries/optional folder into the top-level vendor folder
TL-46484 Library files are no longer included as part of the git distribution
TL-46666 Changed the $CFG->messaging setting to only apply to the user-to-user messaging system
TL-47040 User to user messaging is disabled by default
New features:
TL-39249 Added ability to remove and restore access to closed participant instances for users with the Manage participant instances capability
TL-43166 Added external API service totara_reportbuilder_get_report for querying select reports
TL-43196 Added a setting to remove access to performance activities on role change
TL-43387 Added add user function to group assignments
TL-43427 Added GraphQL services for seminars
TL-43476 Added a Capability for accessing Tui samples page and removed the page's login check
TL-43490 Added a new audience-based 'assessor' role option to the manual rating pathway for competencies
TL-44011 Added self check-in functionality to seminars
TL-44174 Added setting to exclude courses from the catalogue
TL-44200 Added webhooks
TL-44414 Added the Excimer profiling plugin
TL-44443 Added self enrolment options for programs and certifications
TL-44818 Added a new settings page for enabling new features and improvements in minor releases
TL-45031 Report builder exports are now be executed in the background
TL-45309 New Skill Proficiency block made available for manager users
TL-45315 Added new certification compliance reports and block
TL-45361 Certifications now support multiple certification paths. Upgrades to programs and certifications management and learner UI
TL-45459 Totara now supports installing supported plugins via composer
TL-45650 Added Graphql apis for audience rule management
TL-45899 New program/certification overview page
TL-45923 Added availiability to clone Workflow Approvals and Workflow Approvals Overrides
TL-46427 Added new external API query totara_certification_certification_v2 for retrieving a single certification
TL-46429 Added new external API query totara_program_program_v2 for retrieving a single program
TL-46431 Add new external API service totara_certification_groups for retrieving a filtered set of groups on certifications
TL-46432 Add new external API service totara_program_groups for retrieving a filtered set of groups on programs
TL-46434 Added a certification group enrolment mutation to the external API
TL-46435 Added certification group un-enrolment mutation to external API
TL-46436 Added a program group enrolment mutation to the external API
TL-46437 Added program group un-enrolment mutation to external API
TL-46501 Including the Totara plugin installer in Totara automatically
TL-46605 Added command-line tool to find dangling records from LTI activities
TL-47049 Added usage data into approval workflow
Security issues:
TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
TL-39918 Removed sesskey from URLs to minimise potential security concerns.
TL-41080 Fixed sesskeys leaking in URLs for certain admin actions
TL-41086 Fixed change password form being populated despite a validation error
TL-42851 Prevented API errors from revealing absolute paths in normal error mode
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol
TL-43031 Added security check related to the CSV report export format
TL-43046 Removed 5x multiplier from guest session expiration (CVE-2024-55648)
TL-43048 Improved handling of group access to ensure correct record visibility (CVE-2024-55646)
TL-43050 Improved validation to restrict users from viewing others with a specified tag (CVE-2024-55644)
TL-43117 Moved the run_diagnostics endpoint to the internal API
TL-43155 Improved security when storing credentials for external badge backpack connections
TL-43204 Fixed an insecure redirect problem
TL-43220 Improved output cleaning of json_editor emoji node
TL-43231 Improved handling of special characters in json_editor renderer
TL-43243 Error messages that are not client aware will no longer show in internal GraphQL APIs if debugging is disabled
TL-43368 Updated the metadata fetch functionality to use the local CURL system
TL-43502 Removed wkhtmltopdf library (CVE-2020-21365, CVE-2022-35583)
TL-43535 Added sensible default IP addresses to the cURL block setting
TL-43607 Fixed SQL injection risk in course search module list filter (MSA-25-0010) (CVE-2025-26533)
TL-43612 Cleaned drop zone label text in ddimageortext question type (CVE-2025-26528)
TL-43614 Fixed that Feedback responses did not always properly respect separate groups modes (CVE-2025-26526)
TL-43615 Fixed arbitrary file read risk through pdfTeX in TeX filter (CVE-2025-26525)
TL-43788 Fixed IDOR in badges allowing disabling of arbitrary badges (CVE-2025-26531 / MSA-25-0008)
TL-43912 Fixed a redirect problem with the SSOSAML authentication plugin
TL-44112 Removed hidden grades on some reports for users without permissions (CVE-2025-32045)
TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-44479 Updated TeX filter to prevent remote code execution (CVE-2024-40446)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45240 Disabled caching on the login page (CVE-2025-49513)
TL-45250 Fixed external API's disable introspection setting
TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers
TL-45738 Fixed a potential XSS vunerability in Tui core
TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (CVE-2025-62437)
TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
TL-46355 Removed sesskey from URLs when viewing calendar
TL-46828 Improved the handling of stored secrets and tokens for Zoom virtual meetings
TL-46874 Fixed a problem with the self-registration approval authentication plugin
TL-47412 Safer unserializing of file references (CVE-2025-67847)
Visual improvements:
TL-42883 Improved the creation of performance activities, the first section will now be set to edit mode by default
TL-44291 Improved accessibility of dashboard and admin lists with links
TL-44498 Improved label alignment in self-enrolment card layout
Performance improvements:
TL-40368 Improved performance for resetting / archiving course completions for courses with a large amount of users by running actions in bulk
TL-40672 Added indexes to user_enrolments, enrol, and course_completions tables to improve performance
TL-42203 Added an option to reports to disable the visibility check when rendering user profile links
TL-42960 Optimised audience, organisations and positions preloading in course activity restriction settings
TL-43184 Improved the performance of generating role maps for approval workflows
TL-43188 Improved the performance for mobile completed learning API calls
TL-43659 Added an index to context_map.childid
TL-43676 Improved performance of menu item checks for course category and content marketplace administration
TL-44131 Improved performance when loading tiles in Explore catalog blocks
TL-44798 The adminlib library that handles global settings has been broken up into logical classes.
TL-44905 Improved the performance of capability check SQL on Postgres databases
TL-45056 Added caching for user profile custom fields to improve HR Import performance when importing many custom fields for a user
TL-45150 Implemented caching for custom user profile fields
TL-45151 Admin configuration settings have been converted to lazy-load options
TL-45152 Implemented caching for available portfolio instances
TL-45153 Caching has been implemented for properties required on every page by the theme masthead
TL-45156 Optimisation of content marketplace workflow checking for the admin menu
TL-45256 Optimised linked courses subquery to improve performance
TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled
TL-47127 Improved performance for the catalogue progress bar subquery
Improvements:
TL-35330 Added new HR Import setting to allow users to configure the threshold percentage for uploading new records without seeing a confirmation message
TL-35619 When using a relationship as an approver in aproval workflows, the taglist is disabled as there is only one relationship available
TL-35901 Remove deprecated legacy recommendations engine
TL-36557 Added performance check for Tui designer mode setting
TL-36578 Allowed mapping of the username field and mapping of external fields in the OAuth2 plugin after email confirmation
TL-37415 Multi-factor authentication added to the users report source
TL-37496 Added a check to the performance overview report for the use of the prohibit capability flag
TL-37497 Added performance check for category depth
TL-37498 Added performance check for audience rules and parameters
TL-37499 Added performance checks multitenancy without tenants
TL-37517 The "Authenticator app" MFA method will now check if the provided token is valid in the time step immediately before and after the current
TL-37563 "Authenticator app" multi-factor authentication method is now enabled by default
TL-39203 Added new 'scripting_id' field to approval workflow stages
TL-39382 Enabled AI course tag suggestions generated for draft course content
TL-39501 Updated tags UI and improved accessibility
TL-39563 Changed AI tag suggestion error handling and button text
TL-40349 Tidied up our copyright notice declarations
TL-40361 Changed the default password policies to OWASP ASVS 4 recommendations
TL-41009 Added pagination to the categories in the courses and categories page
TL-41169 Removed unused check_oracle_semantics class
TL-41484 N/A Part of a larger change
TL-41637 Course images are now included in playlist images
TL-41805 Added information about pathway format to the course format help text
TL-41897 Added support for filters in the mobile find learning API
TL-41974 Changed the hamburger icon to an arrow icon for collapsing the navigation on Inspire theme's wide screen
TL-41993 Added support for the progress bar to the mobile catalogue API
TL-42136 Improved positioning of buttons when restoring a backed up course
TL-42258 Increased the program 'fullname' database field length to better support multi-language
TL-42267 Added supplimentary content to block title to highlight hidden headings
TL-42378 Improved spacing between the user image and a glossary entry
TL-42401 Improved the user interface for managing filters in a course
TL-42430 Improved accessibility of notification close buttons
TL-42491 Fixed errors in external API documentation for enrolments and audiences
TL-42521 Added total number of Totara goal tasks to product usage data
TL-42522 Added total number of Totara goal comments to product usage data
TL-42651 Added configurable fallback SQL 'LIKE' search to catalogue
TL-42704 Increased side panel height to match the content
TL-42824 Allowed applicant be searched by Idnumber or fullname
TL-42938 Files uploaded in the draft area are now included in logs
TL-43005 Improved the alignment of sections and activities when editing courses
TL-43089 Trigger events for assigning and un-assigning audiences from programs
TL-43185 Added the ability to rotate the client secret for a specific external API client
TL-43212 Improved the error string when the mobile server is not reachable
TL-43215 Added an impacted users confirmation message when adding or removing assignments from programs or certifications
TL-43230 Deprecated JSON_EDITOR document_helper::clean_json_document method and clean_editor_content middleware
TL-43360 Workflow administrators with the mod/approval:edit_active_workflow permission can now edit stage names on a published workflow
TL-43386 Added options to compress (.zip) scheduled report attachments and limit file size
TL-43487 Added IP whitelisting support for external API clients
TL-43514 Added new app download url mobile setting to avoid wrong redirection when visiting browser_login page
TL-43528 Added timemodified as properties for hierarchy positions and organisations in GraphQL and the ability to filter records on since_timemodified
TL-43554 Added a new dynamic audience rule based on a user's proficiency in a list of competencies.
TL-43586 Added Custom script for migrating theme settings from Ventura to Inspire
TL-43616 Added mobile API support for selected offline activities
TL-43634 Added handling for OAuth 2.0 responses that contain an error parameter
TL-43709 Added system status check for ephemeral configuration flags
TL-43820 Changed the behaviour for HR Import to add a confirmation prompt that displays when an import source contains fewer records than the site does and the 'Source contains all records' setting is set to 'Yes'
TL-43831 Added product usage analytics for competency frameworks
TL-43832 Added product usage analytics for competency scales
TL-43886 Added Security overview report and Site performance overview report as new options to the Diagnostics for support tool
TL-43887 Added 'Require passing grade' completion option to external tool activity
TL-43893 Added a banner showing whether the user is suspended or not to the user's profile page
TL-43896 Added the "Created by" column to the "Manage user reports" report
TL-43900 Added "Approver Level Sort Order" column to Approver report
TL-43905 Added a "No default date value" option for Date/Time custom fields
TL-43934 Added support for using a query builder in repository-only contexts
TL-43964 Allowed uninstall_plugins admin script to work when plugin files are missing from disk
TL-43977 Removed references to phatomJS
TL-44018 Added Totara 20.0.0's definition to the environment checks page
TL-44031 Added a new core_user_user_v2 external GraphQL query
TL-44119 Changed the behaviour for HR Import to prevent importing an empty source when the 'Source contains all records' setting is set to 'Yes'
TL-44127 Wrapped update_certification_task operations in a try-catch and transaction block
TL-44130 Added usage data for catalogue configuration
TL-44184 Updated Recommendation block cards to match catalogue card styling
TL-44217 Fixed issue wher the behat step "I switch to the main window" in Firefox
TL-44221 Improved handling of resizerObserver errors in behat for Firefox
TL-44258 Added functionality to log report run times.
TL-44277 Updated Latest badges block to center-align badges
TL-44279 Added rounded corners to the Featured links block and fixed width of the full-width no-margin link
TL-44280 Added wider spacing to the Featured link tile content and aligned text typography styling to match the design system
TL-44296 Improved spacing on the upcoming Events block
TL-44303 Removed horizontal padding for Calendar block content when it has no border
TL-44415 Improved messaging when catalog filter selection changes update the results
TL-44430 Updated the scheduled reports task to identify which report is being processed
TL-44686 Separated Trending content into its own block, distinct from the Recommended for you block
TL-44727 Added "Did you mean" spellcheck suggestions to catalogue search
TL-44755 Allow an admin to select multiple learning types to be recommended in the recommended for you block
TL-44879 Fixed typos found in inheritDoc notations throughout the system
TL-44881 Updated the English help text for the 'Locked' field in the Edit Dashboard form to improve clarity
TL-44917 Fixed HR Import jobs run via the user interface from blocking other page activity
TL-44920 Allowed the API user role to view all course activity types, so they can be returned in API results.
TL-44923 Improved error message when session cannot be started
TL-44931 Improved the clarity of the heading for the dashboard edit page
TL-45041 Added support for single tenanted Microsoft Teams integrations
TL-45070 Improved failure handling in centralised notifications
TL-45073 Improve performance when checking user capabilities to view certain menu items
TL-45075 Added CRON history report
TL-45088 Renamed the 'Experimental' category under Development in Site Administration to 'New and experimental'
TL-45137 Improved competency rating experience by replacing rating popover with a modal side panel which provides additional context
TL-45159 Changed behat sites default catalog type to Explore
TL-45207 Added email queue
TL-45270 Switched Excel exports of reports to use Spout instead of PHPSpreadsheet, resulting in significantly lower memory usage
TL-45308 Extended the competency status report source to provide skills gap reporting capabilities to managers and administrators
TL-45476 Improved the help text for the "Type" field when creating an Audience
TL-45478 Set the default tab to 'All audiences' in Audiences page
TL-45574 Replaced all usages of the deprecated excellib wrapper
TL-45701 Added a custom data-changed attribute to the Moodle form element when form fields change
TL-45729 Rewrote excellib to use spout internally and deprecated it
TL-45743 .
TL-45761 Updated the diagnostic tool to collect useful debugging data
TL-45809 Added Excimer data to the diagnostic tool
TL-45893 Cron CLI will now exit with a success status when no tasks were run
TL-45959 Updated the diagnostic tool to include additional optional information
TL-46028 Added new Select Field and Divider components for use with the InputGroup component
TL-46093 Deprecated has_capability_in_any_context function
TL-46277 Improved 'Membership logic' texts translatability by using full sentences
TL-46404 Added facetoface_signups_application table to link between seminar signup and approval workflow application
TL-46426 Added a new external API query totara_certification_certifications_v2 for retrieving a list of certifications
TL-46428 Added a new external API query totara_program_programs_v2 for retrieving a list of programs
TL-46529 Added the ability to preview membership changes for dynamic Audiences
TL-46660 Multi-factor authentication is available for all account types
TL-46686 Added instructions and prompt for github copilot
TL-46704 dev_tools: Reformatted dev/tools/graphql_schema_diff output
TL-46792 Renamed competencies to skills across the product
TL-46861 Added extensions to content marketplace to allow further third party extension
TL-46932 Add idnumber filter to totara_job_job_assignments query
TL-46973 Added an option to the Report Table and Graph blocks to hide the 'View full report' link
TL-47139 Deprecated unused Audience language string
TL-47141 Minor improvements to approval workflows
TL-47188 Added a scheduled task to cleanup stale audience rule change previews
TL-47366 Language string can now accept stringable objects (like moodle_url()) in the {$a->param} fields
TL-47450 Fixed a language string on the approval modal
TL-47476 Added fullnamedisplay and alternativefullnameformat setting tracking to usage data export
TL-42589 Improved accessibility by adding aria-live attribute to announce results when filtering a report
TL-43973 Improved accessibility on the multiselect legacy adder
TL-45619 Added support for custom help icon titles and improved filter help icon titles
Bug fixes:
TL-33788 Fixed an error when trying to update the content of a learning plan containing hidden programs
TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
TL-35636 Fixed issue when pressing the back button after creating an approval workflows application
TL-35659 Added the ability to purge user data for active applications in approval workflows
TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36096 Added aria-expanded to all Tui Dropdown triggers that were missing it
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-37948 Fixed an error in the 'Self-registration requests' report that occurred when the Tenant Member column was included
TL-38044 Fixed an issue where tenant theme custom colours were not saving
TL-38355 Ensured that guests can view activities on a pathway course
TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
TL-38698 Fixed users being unsubscribed when subscription mode changes from 'Forced subscription' to 'Auto subscription'
TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
TL-39006 Removed whitespace from the bootstrap breadcrumb separator
TL-39201 Improved help text while deleting a tenant category
TL-39266 Removed encoded entities from site log exports
TL-39309 Fixed text in help message for badges image uploads to only state the accepted format
TL-39310 Custom profile field checkboxes will no longer show values on the self-registration pending approval page before the user is approved.
TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
TL-39522 Fixed error in HR Import External Database
TL-39575 Fixed catalog course progress bar returning duplicate data
TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
TL-39730 Site policies now apply the policy language to the entire page when switching policy version
TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
TL-39836 Removed site policy consent requirement for external API and legacy web services requests
TL-39864 The course user activity report now correctly graphs records when they cross a DST boundary
TL-39906 Fixed some race conditions with localcache when the cache is purged on a busy site
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
TL-40156 Fixed PHP deprecation warning in format_array_postdata_for_curlcall()
TL-40189 Fixed forced delivery channels not overriding recipient 'Disable all notifications' setting
TL-40261 Fixed an issue where cohort role category context was not updating after deleting a category
TL-40287 Fixed repeated navigation in book activity
TL-40320 Fixed error on My Goals page caused by duplicates created when 2 operations ran at same time
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40371 Fixed seminar custom fields not being saved when a job assignment is selected during signup
TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
TL-40450 Fixed an issue in the user upload tool that was blocking uploads for users with unique profile fields
TL-40682 Added multi-language support for the Oauth2 plugin
TL-40775 Removed extra role assignments when changing assigned roles in enrolment methods for courses
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40822 Fixed an issue where the seminar signups report was containing duplicate records for session attendance
TL-40827 Fixed learning plan not respecting the global Default role or Enrolment period settings for new instances
TL-40871 Fixed the language menu on the legacy login page to display only when the setting is enabled and multiple languages are available
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
TL-40953 Fixed tenant user managers being unable to view user emails
TL-40974 Excluded non-course activities from the 'Course Content' filter on the 'Find Courses' embedded report
TL-41033 Fixed error when showing custom profile fields that are both locked and required
TL-41065 Removed HTML tags from 'Element response' column of 'Performance activity response data' report when exporting as CSV or Excel
TL-41079 Fixed the IP address lookup feature
TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
TL-41089 Removed nested lists in User details to improve screen reader accessibility
TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
TL-41199 Moved the "Delete" button from the top to the form for course reminders
TL-41222 Fixed an accessibility issue where tabbing would move focus incorrectly on an un-contained dropdown
TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
TL-41289 Fixed error when using external logs with no record
TL-41329 Improved performance of the 'delete_completion_logs' task
TL-41331 Fixed bug in audience sync enrolment method due to deleting context in role
TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
TL-41627 Fixed broken links to help docs
TL-41642 Fixed wrong parameter in program due dates report
TL-41712 Fixed page layout in some situations with the Pathway course format
TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
TL-41771 Resolved a dependency error when adding the block_totara_report_manager block to a dashboard's top region
TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
TL-41793 Fixed Totara goal snapshots not showing up for deleted goals on closed performance activity sections
TL-41949 Disallowed 'Reset course completion' when the course is part of a program or certification
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42086 Fixed a division by zero error in the SCORM save_offline_attempts query for mobile API
TL-42160 Fixed a problem where some reports with null values were unable to be exported when using PHP 8.1 or greater
TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
TL-42435 Moving activities between course sections is now done in a database transaction to avoid broken sequences if something goes wrong
TL-42497 Updated the border colour of the active pagination button to match its background colour through the use of a variable
TL-42581 Removed tab index wrapping content in a YUI modal
TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
TL-42584 Improved screen reader text of icons when managing courses, programs and certifications
TL-42588 Updated notification roles from 'log' to 'status' for better screen reader accessibility
TL-42590 Improved accessibility when filtering seminar sessions
TL-42591 Fixed issue where editing a hierarchy item could incorrectly move it to a different framework
TL-42603 Fixed error when exporting report with tenant filter
TL-42614 Fixed files with non-standard characters when using nginx file acceleration
TL-42661 Fixed inconsistent button label format in catalog for playlist and article
TL-42686 Allowed decimal and integer custom fields to be optional
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42694 Fixed being able to add members to a workspace even if an exception was thrown
TL-42698 Fixed incorrect due date showing on assignment group summary page
TL-42709 Fixed error message while searching for users in comments with mixed context
TL-42736 Improved learning plan and cohort alert user interface issues
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-42800 Fixed application dashboard table column values overlap
TL-42802 Removed double borders from competency scale action buttons
TL-42810 Updated the toggle switch to display the correct colour when in an active disabled state
TL-42828 Fixed incorrect ARIA attribute on competency assignment list rows
TL-42834 Fixed CSS styling for the title and help icon on the Edit proficiency value by assignment' page
TL-42848 Disabled H5P by default on new Totara installations and removed its installation notice.
TL-42874 Fixed incorrect aria-labelledby attribute on the Engage contribution modal
TL-42887 Fixed approval workflow application header action buttons height
TL-42898 Removed empty link 'more help' from help icon popover
TL-42934 Fixed the reset button on Seminars 'Upcoming Events' filter not being translatable
TL-42981 Fixed the formatting of seminar descriptions created using Weka when included in iCalendar attachments
TL-43008 Fixed a situation where duplicates could be shown when viewing another user's Library
TL-43045 Fixed error in pathway courses when an activity module is disabled
TL-43059 Fixed footnote display, including reviewed item count, for workspace library cards loaded using the Load more button.
TL-43244 Added exit activity button to SCORM activities
TL-43297 Prevented the autofill of username and password fields when creating a new user
TL-43313 Added missing variable in catalog filter results
TL-43357 Fixed string encoding for course activity completion report when export Excel-compatible option used
TL-43399 Fixed some incorrectly named graphql queries for mobile sub-plugins
TL-43438 Changed forms.scss to restore atto editor textarea elements within totara_form to their default value
TL-43453 Hid 'Create playlist' option when user has no permission to create playlists
TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
TL-43481 Fixed a Tui build error that occurred when using the --vendor parameter
TL-43508 Fixed catalog URL incorrectly parsed when using multiple filters/ordering
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43519 Fixed console error when user lacks view capability for current learning block
TL-43524 Added padding top and bottom to chromeless block content to improve readability
TL-43539 Fixed Behat test on the Theme Inspire 'Collapse navigation' button
TL-43569 Excluded instance results where the user does not have access from being shown on the performance activity 'Select participants' page
TL-43589 Fixed missing entries in thirdpartylibs.xml
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43613 MDL-83941: Fixed issue where users could browse unsearchable tag collections (CVE-2025-26527)
TL-43631 Updated default capabilities of API user archetype to include totara/hierarchy:vieworganisationframeworks and totara/hierarchy:viewpositionframeworks
TL-43695 Fixed miscellaneous core functionality for better PHP 8.4 support
TL-43716 Fixed email HTML header and footer customisations for the Inspire theme
TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
TL-43725 Increased field size for Objective and Priority names to improve multi-language
TL-43795 Fixed an upgrade error with block_html instances missing data for custom classes
TL-43796 Fixed debug warnings in catalog when a playlist has limited visibility and not shared with any individuals
TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible
TL-43805 Fixed potential returning null by get_source function
TL-43825 Fixed rendering of special characters in catalogue block title
TL-43838 Fixed check for existing records in the record of learning
TL-43894 Fixed duplication of courses in your library by workspaces
TL-43932 Enabled multi-language support for drop-down options in approval workflows
TL-43963 Prevented updates to the timestart field when multiple API calls are made to the enrol_manual_enrol_user service
TL-43997 Fixed the encrypted key rollover job to skip non-encrypted configuration entries
TL-44001 Fixed incorrect class references in behat code
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44020 Fixed an accessibility failure where the dismiss button on a notification toast was accessible via the keyboard even though its parent element had aria-hidden
TL-44147 Fixed an error when collapsing the Inspire sidebar while the user is logged out
TL-44149 Fixed a bug with static file cache not saving on sites with the maturity set to dev
TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
TL-44183 Fixed error message in explore catalog when all filters are removed
TL-44187 Fixed the User Tour Step edit form element to display correctly for the "Show if target is not found" value
TL-44188 Added title to the 'Create user' page
TL-44190 Fixed a PHP warning that can show when a cURL call is blocked by the IP address blacklist
TL-44289 Fixed an issue on some browsers where reloading the page would incorrectly show a form resubmission warning
TL-44295 Fixed Totara Goals not being locked down properly on non-Perform flavours
TL-44298 Disabled goals choice setting for flavours that do not include Perform features
TL-44339 Fixed an accessibility issue with colour contrast in the current learning block
TL-44374 Improved accessibility on grid catalogue details panel
TL-44376 Fixed an accessibility issue by removing menu bar roles on the legacy primary navigation
TL-44377 Fixed a bug when SAML metadata was signed
TL-44408 Fixed multi-select filter help text for customfields
TL-44409 Added correct aria-label to the Breadcumbs
TL-44413 Improved screen reader readout for the grid catalog filter options
TL-44423 Fixed errors when an activity module plugin is hidden
TL-44424 Fixed default catalogue sorting when multiple languages are enabled
TL-44425 Events displayed on course page setting removed from pathway format course
TL-44427 Fixed in-progress course reset for individual users
TL-44442 Fixed formatting issue with Weka editor in quiz questions
TL-44495 Fixed an issue with the positioning of the user tour on inspire theme navigation items
TL-44501 Fixed an error when cache attempts to read a file that is empty
TL-44532 Fixed a bug where the uniform FormField component would have an empty aria-describedby attribute
TL-44597 Updated JMeter script
TL-44653 Fixed a LTI (external tool) authentication issue with JWT
TL-44677 Fixed accessibility for the legacy select tree component
TL-44679 Added missing ARIA attributes on grid catalog details popover
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44698 Fixed require passing grade completion criteria not being checked in external tool
TL-44712 Fixed filestore cache so when a file cannot be unserialised it will log a debug message instead of crashing the entire site
TL-44715 Fixed unexpected competency records being displayed in record of learning
TL-44716 Fixed a validation problem with IPv6 addresses with a recent PHP update
TL-44732 Increased the htmlpurifier maximum width an image can be embedded at from 1200px to 3000px
TL-44742 Fixed a bug where users who login via SAML were unable to launch LTI activities
TL-44748 Fixed lack of contrast on focus state for catalogue pagination and block add buttons
TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44782 Fixed database connection failures when Microsoft Teams JWT signatures verification fails with SQL Server and OpenSSL 3.0
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44788 Added userdata classes for AI interactions
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44823 Fixed bug where the log store was not using the provided options with SQL Server
TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44848 Allowed competency achievement paths to be copied by a user with Site Manager role
TL-44859 Changed the default profile image to improve colour accessibility
TL-44960 No changelog
TL-45006 Fixed excimer script type for external API
TL-45007 Fixed a problem when installing Totara without the openssl extension
TL-45015 Fixed assignment submission report to show assignments with no grade requirements
TL-45036 Courses set to the Single Activity format are now available in the Recently Viewed block
TL-45047 Fixed a user interface issue where the short name would not wrap correctly in admin settings
TL-45125 Updated mobile language strings to match current app requirements
TL-45132 Added accessibility aria popup attribute for cards in explore catalogue
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-45177 Removed the extra space in the ID field of the masthead menu items
TL-45191 Updated the Popover component so that focus now returns to the popover trigger when the popover closes
TL-45192 Fixed missing context error for course_section resolver
TL-45204 Added an incrementation to query complexity for unresolved GraphQL types
TL-45216 Removed condition preventing guests from seeing the catalog block
TL-45257 Fixed an issue where the Inspire theme custom HTML header and footer content was not being saved properly
TL-45266 Fixed crash when Excimer and 'dbpersist' option are enabled together on PostgreSQL
TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
TL-45306 Fixed deprecation warning being generated in report builder display functions under PHP 8.3
TL-45348 Fixed the wording on the display order help description
TL-45394 Fixed issue where the downloadable icon was not displaying for all downloadable courses in the Find Learning section of the mobile app
TL-45542 Fixed notification debugging not being displayed in cron logs
TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
TL-45677 Updated mobile language strings to be in line with the app
TL-45702 Fixed the Excimer purge data failure caused by invalid dates
TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
TL-45742 Fixed leftover search text after selecting an override approver in approval workflows
TL-45791 Fixed duplicate LTI grade error after purge
TL-45816 Removed the hard-coded expiry date from the job assignment unit test
TL-45819 Removed overdue status on record of learning when certification is unassigned
TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token
TL-45872 Fixed incorrect decimal rounding in report sums for custom decimal input field
TL-45897 Removed redundant skipped tests from HR import
TL-45898 Fixed previously skipped LTI unit tests and reinstated
TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
TL-46018 Fixed table wrapping to minimise horizontal scrolling on small screens
TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
TL-46063 Fixed a bug when trying to authenticate with an external tool
TL-46082 Fixed display function cache incompatibilities with background exports
TL-46089 Fixed invalid page state when rendering reports with SQL errors
TL-46128 Added help text to tenant member upload page to clarify functionality
TL-46188 Fixed Totara forms fieldset (section) with required fields was not expanded by default
TL-46356 Addressed issue to preserve existing link types when saving linked courses for competencies
TL-46457 Added field displayattemptstatus to API query mod_scorm_scorm
TL-46535 Updated mobile language strings for the latest app version
TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
TL-46634 Fixed display functions use new open spout wrapper
TL-46635 Fixed an edge case with report background export if a site had not generated a list of embedded reports yet
TL-46641 Fixed a memory leak that can appear in the messaging_cleanup_task
TL-46646 Fixed a oauth xAPI wrapper to match changes to underlying interface
TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user
TL-46706 Fixed incorrect escaping of group names when editing report builder report columns
TL-46752 Fixed "user_assignments" attribute accessibility on "track_assignment" model
TL-46804 Fixed the machine learning service docker image not building due to a lightfm and pip/wheel clash
TL-46865 Prevented session language changes using the 'lang' GET parameter in API or GraphQL requests
TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
TL-46883 Updated codebase to treat null values as empty strings during tabexport to excel, ensuring consistent handling of data.
TL-46949 Canonicalise the locale when passing it through the money format function in content marketplace
TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
TL-47054 Fixed an issue where email links were broken when pasted in Weka editor
TL-47056 Disabled confirming notifications when user enrolment status is pending
TL-47103 Fixed a issue when re enrolling to the course was throwing exception
TL-47142 Language packs for development branches now use the previous Totara version (with a warning) if the site is beta, alpha or dev.
TL-47144 Fixed a bug where the audience rules page was accessible for non-dynamic audiences
TL-47152 Pinning the composer PHP version for a release down
TL-47208 Fixed clone approval workflow for context assignment type
TL-47210 Fixed category browsing when a course is selected
TL-47212 External api settings now correctly checks allowed ip list before updating rather than overriding
TL-47233 Fixed admin form element for webhook enabling
TL-47236 Fixed graphql totara_program_program_courseset courses property
TL-47254 Prevented session data set after complete_user_login() call being lost
TL-47280 Fixed required markers for custom custom fields
TL-47292 Datetime custom fields now default to a valid year range when the bounds are empty
TL-47339 Added a test for draft_member type resolver
TL-47356 Addressed layout issue with job assignments block on user profile page
TL-47358 Added a check if ruleset id exist when querying for the ruleset operator
TL-47359 Competencies are now referred to as skills by system log events
TL-47377 Fixed a performance issue when previewing audience member changes
TL-47385 Removed warning on perform code coverage report for participation responses test
TL-47400 Fixed an invalid debugging message in a unit test
TL-47405 Fixed access to forum ratings (CVE-2025-67854)
TL-47414 Fixed a problem when exporting a report via a scheduled report, dynamic columns may or may not appear correctly
TL-47455 Reverted changes to CSV exports
TL-47484 Fixed an error when viewing certain events with PHP 8.1
TL-47503 Removed an unnecessary import in PreviewMembersSummary
TL-40292 Improved accessibility on assignment submission table
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-417

Original source Report a problem

Releases

The following versions of Totara have now been released:

• Release 19.1.6
• Release 19.0.12
• Release 18.25
• Release 17.38
• Release 16.44
• Release 15.50
• Release 14.53
• Release 13.61
• Release 12.77
• Release 11.77

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards

Release Team

A big thanks to the following people for their contributions to this release:

• Petter Fogelqvist at Aleido - TL-47127

Release 19.1.6 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-45872 Fixed incorrect decimal rounding in report sums for custom decimal input field
• TL-46865 Prevented session language changes using the 'lang' GET parameter in API or GraphQL requests
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46949 Canonicalise the locale when passing it through the money format function in content marketplace
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47210 Fixed category browsing when a course is selected
• TL-47254 Prevented session data set after complete_user_login() call being lost
• TL-45740 Added focus-visible state to links within featured link blocks

Library updates:

• TL-47105 Updated php-css-parser to resolve a parsing issue affecting styling in RTL languages

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 19.0.12 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-45872 Fixed incorrect decimal rounding in report sums for custom decimal input field
• TL-46865 Prevented session language changes using the 'lang' GET parameter in API or GraphQL requests
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46949 Canonicalise the locale when passing it through the money format function in content marketplace
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost
• TL-45740 Added focus-visible state to links within featured link blocks

Library updates:

• TL-47105 Updated php-css-parser to resolve a parsing issue affecting styling in RTL languages

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 18.25 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 17.38 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost

Release 16.44 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-47254 Prevented session data set after complete_user_login() call being lost

Release 15.50 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 14.53 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 13.61 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 12.77 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 11.77 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Original source Report a problem

Totara achieves ISO/IEC 27001:2022 certification

London, December 16, 2025 — Totara, a global provider of learning management solutions trusted for compliance in highly regulated sectors, is proud to announce that it has achieved ISO/IEC 27001:2022 certification, the internationally recognized standard for information security management.

This certification marks a significant milestone for Totara and reinforces the company’s long-standing commitment to safeguarding customer data, delivering secure cloud services, and maintaining rigorous operational governance across its platforms.

ISO/IEC 27001:2022 is considered the global benchmark for information security, requiring certified organizations to demonstrate robust, end-to-end controls that protect information assets against evolving threats.

“Achieving ISO 27001 recognizes the world-class security practices embedded across Totara’s people, processes, and technology. Our customers and partners trust Totara to power mission-critical learning, talent, and employee experience solutions, and this certification reinforces that trust.”

Patrick Wade,
Totara Chief Information Security Officer

Certification to ISO 27001 validates Totara’s comprehensive approach to managing information security risks, which includes:

• A resilient hosting infrastructure designed to support organizations operating in highly regulated or security-sensitive industries
• Rigorous, continuously updated security policies
• Systematic risk assessment and risk treatment frameworks
• Strict access controls and identity management
• Secure development and change-management processes
• Proactive threat monitoring and incident response

The certification was conducted by an independent, accredited auditor and covers the full scope of Totara’s operations, including the design, development, delivery, and support of the Totara product suite and cloud services.

Achieving ISO 27001:2022 not only affirms Totara’s current security posture but also underscores its commitment to providing a resilient hosting ecosystem capable of supporting organizations in highly regulated and security-sensitive sectors. As part of the certification, Totara will continue to evolve its information security management system to ensure it exceeds global best practices.

About Totara

Totara is a global leader in learning management technologies, supporting over 1,500 customers and 21 million users worldwide. Its flagship product, Totara Learn, is a customisable LMS that’s trusted to deliver mission-critical learning for multinational corporations, government agencies, and mid-sized enterprises.

Totara serves the UK Government and Healthcare sectors and the US public sector, with TotaraGov offering a FedRAMP® Authorized LMS purpose-built for government training. Totara also operates through a global network of 75+ partners who provide implementation, customisation, and support across a variety of industries. With offices in the UK, US, and New Zealand, Totara’s 200+ team members continue to deliver reliable, mission-critical compliance and learning worldwide.

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.5
• Release 19.0.11
• Release 18.24
• Release 17.37
• Release 16.43
• Release 15.49
• Release 14.52
• Release 13.60
• Release 12.76
• Release 11.76
• Release 10.78
• Release 9.83

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.1.5 (25th November 2025)

Important:

• TL-46666 Changed the $CFG->messaging setting to only apply to the user-to-user messaging system

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-44848 Allowed competency achievement paths to be copied by a user with Site Manager role
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46188 Fixed Totara forms fieldset (section) with required fields was not expanded by default
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user
• TL-46706 Fixed incorrect escaping of group names when editing report builder report columns
• TL-46804 Fixed the machine learning service docker image not building due to a lightfm and pip/wheel clash

Release 19.0.11 (25th November 2025)

Important:

• TL-46666 Changed the $CFG->messaging setting to only apply to the user-to-user messaging system

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-44848 Allowed competency achievement paths to be copied by a user with Site Manager role
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46188 Fixed Totara forms fieldset (section) with required fields was not expanded by default
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user
• TL-46706 Fixed incorrect escaping of group names when editing report builder report columns
• TL-46804 Fixed the machine learning service docker image not building due to a lightfm and pip/wheel clash

Release 18.24 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-40942 Fixed course selection for system users when multi-tenancy and tenant isolation are enabled
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user

Release 17.37 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user

Release 16.43 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'

Release 15.49 (25th November 2025)

Security issues:

• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'

Release 14.52 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 13.60 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 12.76 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 11.76 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 10.78 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 9.83 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.4
• Release 19.0.10
• Release 18.23
• Release 17.36
• Release 16.42
• Release 15.48

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.1.4 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-44425 Events displayed on course page setting removed from pathway format course
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45742 Fixed leftover search text after selecting an override approver in approval workflows
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46457 Added field displayattemptstatus to API query mod_scorm_scorm
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute
• Library updates:
• TL-46723 Upgraded scssphp to version 1.12.2.1

Release 19.0.10 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 18.23 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-40942 Fixed course selection for system users when multi-tenancy and tenant isolation are enabled
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 17.36 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 16.42 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Release 15.48 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.3
• Release 19.0.9
• Release 18.22
• Release 17.35
• Release 16.41
• Release 15.47

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Please contact Totara or your partner company if you require more detail on any issue.

Kind regards
Release Team

Release 19.1.3 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 19.0.9 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-45994 Fixed manage certification header to use the correct lang string
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 18.22 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors

Release 17.35 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-46063 Fixed a bug when trying to authenticate with an external tool

Release 16.41 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning

Release 15.47 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Original source Report a problem

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

The change log for TL-42916 has been amended to include the configuration flag that can be used to revert the new behaviour until Totara 20.

We apologise for the omission.

The new change log reads:

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.

If a site needs the previous behaviour, set

$CFG->revert_TL_42916_until_t20 = 1;

in config.php to temporarily revert this fix.

Original source Report a problem