Totara Release Notes

Releases

The following versions of Totara have now been released:

• Release 19.1.6
• Release 19.0.12
• Release 18.25
• Release 17.38
• Release 16.44
• Release 15.50
• Release 14.53
• Release 13.61
• Release 12.77
• Release 11.77

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards

Release Team

A big thanks to the following people for their contributions to this release:

• Petter Fogelqvist at Aleido - TL-47127

Release 19.1.6 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-45872 Fixed incorrect decimal rounding in report sums for custom decimal input field
• TL-46865 Prevented session language changes using the 'lang' GET parameter in API or GraphQL requests
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46949 Canonicalise the locale when passing it through the money format function in content marketplace
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47210 Fixed category browsing when a course is selected
• TL-47254 Prevented session data set after complete_user_login() call being lost
• TL-45740 Added focus-visible state to links within featured link blocks

Library updates:

• TL-47105 Updated php-css-parser to resolve a parsing issue affecting styling in RTL languages

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 19.0.12 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-45872 Fixed incorrect decimal rounding in report sums for custom decimal input field
• TL-46865 Prevented session language changes using the 'lang' GET parameter in API or GraphQL requests
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46949 Canonicalise the locale when passing it through the money format function in content marketplace
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost
• TL-45740 Added focus-visible state to links within featured link blocks

Library updates:

• TL-47105 Updated php-css-parser to resolve a parsing issue affecting styling in RTL languages

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 18.25 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Performance improvements:

• TL-47127 Improved performance for the catalogue progress bar subquery

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-39522 Fixed error in HR Import External Database
• TL-41199 Moved the "Delete" button from the top to the form for course reminders
• TL-46873 Closing a SCORM package in pathway now takes the user to the next activity in the course
• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost

Contributions:

• • Petter Fogelqvist at Aleido - TL-47127

Release 17.38 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-46974 Fixed the site policy page crashing when there is a mismatch between policy and site language
• TL-47254 Prevented session data set after complete_user_login() call being lost

Release 16.44 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Improvements:

• TL-45573 Screen readers now read the full weekday name when on a calendar page

Bug fixes:

• TL-47254 Prevented session data set after complete_user_login() call being lost

Release 15.50 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 14.53 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 13.61 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 12.77 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Release 11.77 (18th December 2025):

Security issues:

• TL-47412 Safer unserializing of file references (CVE-2025-67847)

Original source Report a problem

Totara achieves ISO/IEC 27001:2022 certification

London, December 16, 2025 — Totara, a global provider of learning management solutions trusted for compliance in highly regulated sectors, is proud to announce that it has achieved ISO/IEC 27001:2022 certification, the internationally recognized standard for information security management.

This certification marks a significant milestone for Totara and reinforces the company’s long-standing commitment to safeguarding customer data, delivering secure cloud services, and maintaining rigorous operational governance across its platforms.

ISO/IEC 27001:2022 is considered the global benchmark for information security, requiring certified organizations to demonstrate robust, end-to-end controls that protect information assets against evolving threats.

“Achieving ISO 27001 recognizes the world-class security practices embedded across Totara’s people, processes, and technology. Our customers and partners trust Totara to power mission-critical learning, talent, and employee experience solutions, and this certification reinforces that trust.”

Patrick Wade,
Totara Chief Information Security Officer

Certification to ISO 27001 validates Totara’s comprehensive approach to managing information security risks, which includes:

• A resilient hosting infrastructure designed to support organizations operating in highly regulated or security-sensitive industries
• Rigorous, continuously updated security policies
• Systematic risk assessment and risk treatment frameworks
• Strict access controls and identity management
• Secure development and change-management processes
• Proactive threat monitoring and incident response

The certification was conducted by an independent, accredited auditor and covers the full scope of Totara’s operations, including the design, development, delivery, and support of the Totara product suite and cloud services.

Achieving ISO 27001:2022 not only affirms Totara’s current security posture but also underscores its commitment to providing a resilient hosting ecosystem capable of supporting organizations in highly regulated and security-sensitive sectors. As part of the certification, Totara will continue to evolve its information security management system to ensure it exceeds global best practices.

About Totara

Totara is a global leader in learning management technologies, supporting over 1,500 customers and 21 million users worldwide. Its flagship product, Totara Learn, is a customisable LMS that’s trusted to deliver mission-critical learning for multinational corporations, government agencies, and mid-sized enterprises.

Totara serves the UK Government and Healthcare sectors and the US public sector, with TotaraGov offering a FedRAMP® Authorized LMS purpose-built for government training. Totara also operates through a global network of 75+ partners who provide implementation, customisation, and support across a variety of industries. With offices in the UK, US, and New Zealand, Totara’s 200+ team members continue to deliver reliable, mission-critical compliance and learning worldwide.

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.5
• Release 19.0.11
• Release 18.24
• Release 17.37
• Release 16.43
• Release 15.49
• Release 14.52
• Release 13.60
• Release 12.76
• Release 11.76
• Release 10.78
• Release 9.83

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.1.5 (25th November 2025)

Important:

• TL-46666 Changed the $CFG->messaging setting to only apply to the user-to-user messaging system

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-44848 Allowed competency achievement paths to be copied by a user with Site Manager role
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46188 Fixed Totara forms fieldset (section) with required fields was not expanded by default
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user
• TL-46706 Fixed incorrect escaping of group names when editing report builder report columns
• TL-46804 Fixed the machine learning service docker image not building due to a lightfm and pip/wheel clash

Release 19.0.11 (25th November 2025)

Important:

• TL-46666 Changed the $CFG->messaging setting to only apply to the user-to-user messaging system

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-44848 Allowed competency achievement paths to be copied by a user with Site Manager role
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46188 Fixed Totara forms fieldset (section) with required fields was not expanded by default
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user
• TL-46706 Fixed incorrect escaping of group names when editing report builder report columns
• TL-46804 Fixed the machine learning service docker image not building due to a lightfm and pip/wheel clash

Release 18.24 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin
• TL-47098 Improved the handling of stored secrets and tokens in the database

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-40942 Fixed course selection for system users when multi-tenancy and tenant isolation are enabled
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user

Release 17.37 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-40937 Improved user experience by automatically scrolling to sections in forms that need validation
• TL-41743 Fixed an issue where the user was moved onto the waitlist on task block when the user is booked in seminar events
• TL-45550 User profile custom fields that contain a string '0' will no longer sort at the bottom of the category list
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'
• TL-46684 Fixed a problem with the system role report filter where it would crash if no system roles were assigned to any user

Release 16.43 (25th November 2025)

Security issues:

• TL-33651 Implemented validation to ensure passwords exceed bcrypt’s maximum supported length are rejected
• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-40153 Fixed an edge case race condition in session initialisation with output buffering off
• TL-45791 Fixed duplicate LTI grade error after purge
• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'

Release 15.49 (25th November 2025)

Security issues:

• TL-40452 Tightened the revision range that can be used when serving CSS or JavaScript to limit cache poisoning
• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Bug fixes:

• TL-46535 Updated mobile language strings for the latest app version
• TL-46544 Updated LTI request params to return boolean values where expected instead of string 'true' or 'false'

Release 14.52 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 13.60 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 12.76 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 11.76 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 10.78 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Release 9.83 (25th November 2025)

Security issues:

• TL-46874 Fixed a problem with the self-registration approval authentication plugin

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.4
• Release 19.0.10
• Release 18.23
• Release 17.36
• Release 16.42
• Release 15.48

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.1.4 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-44425 Events displayed on course page setting removed from pathway format course
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45742 Fixed leftover search text after selecting an override approver in approval workflows
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46457 Added field displayattemptstatus to API query mod_scorm_scorm
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute
• Library updates:
• TL-46723 Upgraded scssphp to version 1.12.2.1

Release 19.0.10 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 18.23 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-40942 Fixed course selection for system users when multi-tenancy and tenant isolation are enabled
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 17.36 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 16.42 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Release 15.48 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.3
• Release 19.0.9
• Release 18.22
• Release 17.35
• Release 16.41
• Release 15.47

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Please contact Totara or your partner company if you require more detail on any issue.

Kind regards
Release Team

Release 19.1.3 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 19.0.9 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-45994 Fixed manage certification header to use the correct lang string
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 18.22 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors

Release 17.35 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-46063 Fixed a bug when trying to authenticate with an external tool

Release 16.41 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning

Release 15.47 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Original source Report a problem

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

The change log for TL-42916 has been amended to include the configuration flag that can be used to revert the new behaviour until Totara 20.

We apologise for the omission.

The new change log reads:

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.

If a site needs the previous behaviour, set

$CFG->revert_TL_42916_until_t20 = 1;

in config.php to temporarily revert this fix.

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.2
• Release 19.0.8
• Release 18.21
• Release 17.34
• Release 16.40
• Release 15.46
• Release 14.51
• Release 13.59

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

• Davo Smith - Synergy Learning - TL-45319

Kind regards

Release Team

Release 19.1.2 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Improvements:

• TL-35330 Added new HR Import setting to allow users to configure the threshold percentage for uploading new records without seeing a confirmation message

Currently a user importing records into the system with fewer records in the
source than in the system and "Source contains all records" set will see a
confirmation dialogue that they will need to approve before the import can take
place.

With this change, a new setting has been added that can be tuned so that the
message only appears when the minimum records threshold percentage is not met.
This will allow users to tacitly accept consequences for uploading fewer records
than there are in the system if "Source contains all records" is set.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible

This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.

• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-44823 Fixed bug where the log store was not using the provided options with SQL Server

The following new settings were added to the external database configuration for
logs:

• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server

The following new settings were added to the external database configuration for
authentication:

• Connection pooling
• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45394 Fixed issue where the downloadable icon was not displaying for all downloadable courses in the Find Learning section of the mobile app

Added the following capabilities to the 'Authenticated user' role for new
installs, matching other module permissions, so that checks for downloadable
activities in the mobile app could be run more accurately prior to enrolment on
the course. If this is functionality you use on an existing site, we recommend
adding the same capabilities:

• mod/scorm:view
• mod/certificate:view

• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45677 Updated mobile language strings to be in line with the app
• TL-45702 Fixed the Excimer purge data failure caused by invalid dates

The Excimer purge date was calculated from the current day. It is now calculated
from the first day of the month to avoid edge cases with invalid dates, such as
the 29th February.

• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token

When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.

• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 19.0.8 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible

This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.

• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-44823 Fixed bug where the log store was not using the provided options with SQL Server

The following new settings were added to the external database configuration for
logs:

• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server

The following new settings were added to the external database configuration for
authentication:

• Connection pooling
• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45677 Updated mobile language strings to be in line with the app
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token

When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.

• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 18.21 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-39781 Fixed program assignment due date changes not being deferred

When a due date is added or updated on a program or certification assignment,
the change will be deferred rather than being applied immediately. This prevents
problems on large sites. This change was applied in a previous ticket in Totara
19.0 and above.

• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 17.34 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 16.40 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 15.46 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 14.51 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 13.59 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Original source Report a problem

Release Summary

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.1
• Release 19.0.7
• Release 18.20
• Release 17.33
• Release 16.39
• Release 15.45
• Release 14.50
• Release 13.58
• Release 12.75
• Release 11.75
• Release 10.77

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

• Andrew Mansfield at Coretxa - TL-43805
• Michael Geering at Think Learning - TL-42693, TL-42783
• Sasha Anastasi at Catalyst - TL-44716
• Steven Hughes at Think Learning - TL-41289

Kind regards
Release Team

Release 19.1.1 (29th July 2025)

Security issues:

TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-39918 Removed sesskey from URLs to minimise potential security concerns.
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.

TL-43243 Error messages that are not client aware will no longer show in internal GraphQL APIs if debugging is disabled

For internal APIs, to see the full error the site debug must be set to full or
developer level. Otherwise the error message will be hidden unless it’s
considered a client-safe one (such as a validation message).

TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers

Performance improvements:

TL-45256 Optimised linked courses subquery to improve performance

This fixes a performance issue on the competencies tab of learning plans, when a
large number of courses were assigned to a competency.

Improvements:

TL-44920 Allowed the API user role to view all course activity types, so they can be returned in API results.

Added capabilities to the ‘apiuser’ role to ensure access to all course
activity types via api endpoints.
For new installations, the ‘apiuser’ role will automatically include these
capabilities.
For existing installations, admins will need to manually assign these
capabilities to the ‘apiuser’ role, to ensure access to all course activity
types via api endpoints.

New capabilities added:

• mod/assign:view
• mod/certificate:view
• mod/data:view
• mod/facetoface:view
• mod/feedback:view
• mod/glossary:view
• mod/lti:view
• mod/quiz:view
• mod/scorm:view

TL-45041 Added support for single tenanted Microsoft Teams integrations

The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.

This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.

This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.

Bug fixes:

TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-39309 Fixed text in help message for badges image uploads to only state the accepted format
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40156 Fixed PHP deprecation warning in format_array_postdata_for_curlcall()
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40953 Fixed tenant user managers being unable to view user emails

With this change the tenant participants report now assigns the tenant context
correctly. Additionally custom tenant reports also pass the context along. In
both cases this means the email column will be visible if enabled and the user
has the correct capability.

TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-43438 Changed forms.scss to restore atto editor textarea elements within totara_form to their default value
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43805 Fixed potential returning null by get_source function
TL-43894 Fixed duplication of courses in your library by workspaces
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44374 Improved accessibility on grid catalogue details panel
TL-44413 Improved screen reader readout for the grid catalog filter options
TL-44424 Fixed default catalogue sorting when multiple languages are enabled
TL-44427 Fixed in-progress course reset for individual users

Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.

This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.

TL-44677 Fixed accessibility for the legacy select tree component
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44716 Fixed a validation problem with IPv6 addresses with a recent PHP update
TL-44748 Fixed lack of contrast on focus state for catalogue pagination and block add buttons
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44859 Changed the default profile image to improve colour accessibility
TL-45006 Fixed excimer script type for external API
TL-45132 Added accessibility aria popup attribute for cards in explore catalogue
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-45191 Updated the Popover component so that focus now returns to the popover trigger when the popover closes
TL-45192 Fixed missing context error for course_section resolver
TL-45216 Removed condition preventing guests from seeing the catalog block

Guest users should be able to see the catalog block the same way as the catalog
page itself. To revert this change go to the early access settings page and
disable guest_display. In Totara 20, guests will be able to see the block.

TL-45257 Fixed an issue where the Inspire theme custom HTML header and footer content was not being saved properly
TL-45266 Fixed crash when Excimer and 'dbpersist' option are enabled together on PostgreSQL
TL-45306 Fixed deprecation warning being generated in report builder display functions under PHP 8.3
TL-45348 Fixed the wording on the display order help description
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-41791 Updated logic to apply the correct ARIA role to popovers based on the trigger
TL-42892 Fixed the accessibilty of blocks on the course view page

• The aria-labelledby attribute has been added to the 'pre' tag followed by an 'ul' and 'li' tag, in the
  settings and course navigation blocks.
• The presentation role is now added when generating '/pre' nodes from ajax data
  in the settings block

TL-44833 Improved accessibility for pathway format progress tracker and user toolbar
TL-45262 Removed incorrect aria role from the side panel in Messages

Technical changes:

TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found

Recommendations engine:

TL-45560 Updated the docker base image from python:3.11-slim-buster to python:3.11-slim

Buster has reached end-of-life and the repositories were no longer accessible
causing problems when starting the docker image. With this change we no longer
tie specifically to a debian version, instead use the most valid/latest python
3.11 slim image.

This only impacted newly created instances. However if you’ve been running the
service for a while, we recommend rebuilding it to update your OS.

Contributions:

• Andrew Mansfield at Coretxa - TL-43805
• Michael Geering at Think Learning - TL-42693, TL-42783
• Sasha Anastasi at Catalyst - TL-44716
• Steven Hughes at Think Learning - TL-41289

Original source Report a problem

Hello everyone,

Release 3.1.0 (138) is available in both app stores and to partners through source code repositories.

Totara Mobile App Changelog

Release 3.1.0 (11th July 2025)

Improvement

• [MOB-1393] Improving Usability on the Find Learning Page - Search
• [MOB-1390] Improving Usability on the Find Learning Page - Progress Bar
• [MOB-1305] Improving Usability on the Find Learning Page - Filter
• [MOB-1378] Mobile Offline Support - POC 1
• [MOB-1382] POC 1 - Offline supported indicator for courses on the course page
• [MOB-1379] POC 1 - Download an entire course
• [MOB-1384] POC 1 - User can remove a downloaded course
• [MOB-1380] POC 1 - User can work on the downloaded Label activities offline
• [MOB-1381] POC 1 - Individual courses progress sync manually
• [MOB-1385] SPIKE Investigate how to support attachments in Label activities for offline use
• [MOB-1406] Manual Sync of All Progress
• [MOB-1417] Supporting Page for Offline Uses
• [MOB-1407] Download Summary
• [MOB-1412] Supporting Certificate for Offline Uses
• [MOB-1473] Ensure "Require View" completion condition is supported
• [MOB-1411] Handling Download Size & Storage Limitations
• [MOB-1456] Label Activity Download Icon
• [MOB-1416] Supporting File for Offline Uses
• [MOB-1449] Handle upgrade path for existing users with downloaded activities only
• [MOB-1457] Include SCORM in download entire course
• [MOB-1478] Add a partial download icon state
• [MOB-1408] Indicating Courses Contains Offline Supported Activities

Bug

• [MOB-1444] Explore catalogue showing internal server error in appetize
• [MOB-1452] Mobile - Blank page after marking a course as completed
• [MOB-1470] App language customisation failing to consistently load
• [MOB-1455] SCORM landscape view in mobile app not supported in some devices

Upgraded dependencies

• @gorhom/bottom-sheet: ^4 -> ^5.1.6
• @sentry/react-native: ~6.3.0 -> ~6.10.0
• expo: ~52.0.41 -> ~52.0.47
• expo-build-properties: ^0.13.2 -> ~0.13.3
• expo-dev-client: ~5.0.15 -> ~5.0.20
• expo-splash-screen: ~0.29.22 -> ~0.29.24
• expo-system-ui: ~4.0.8 -> ~4.0.9
• react-native: 0.76.7 -> 0.76.9
• react-native-webview: ^13.8.6 -> 13.10.4

New dependencies

• react-native-file-viewer: ^2.1.5
• react-native-marked: ^6.0.7
• react-native-mmkv: ^2.12.2
• @apollo/server: ^4.11.0
• @faker-js/faker: ^9.6.0
• @graphql-tools/schema: ^10.0.7
• @testing-library/jest-dom: ^6.6.3
• cors: ^2.8.5 - fishery: ^2.2.3

Removed dependencies

• react-native-orientation-locker: ^1.7.0
• @graphql-tools/mock: ^9.0.3
• apollo-server-express: ^3.13.0
• detox: ^20.25.1

Kind regards,
Fei Gao

Original source Report a problem

Totara Version 19.1 introduces 4 new AI features that drive L&D efficiency, plus enhanced search and content discovery and streamlined workflows.

London, July 08, 2025 – Totara has announced the release of Version 19.1 (V19.1) of its platform, introducing a host of new AI features that support admins in the flow of work and helps learners create effective user-generated content.

This mid-year release signals a strategic shift from an annual release cadence toward more frequent updates, accelerating the rollout of new platform capabilities. Alongside the AI features, V19.1 enables learners to search and discover relevant learning content more effectively, including in the mobile app catalogue.

AI Features that Drive L&D Efficiency and Boost Collaborative Learning

The new AI-powered tools assist system administrators in the flow of work, creating and refining text and images when building learning content. Learners can benefit from these features when creating their own resources.

• AI Writing assistant: Create text using prompts, or summarise lengthy text and refine draft copy.
• AI Image generator: Create images for courses and resources in the flow of work.
• AI SMART goal assistant: Create well-structured SMART goals that aid personal development.
• AI Knowledge check-in: Create informal quizzes on resources that encourage self-directed learning and knowledge reinforcement.

Enhanced Content Discovery and Smoother Admin Workflows

The latest updates focus on improved content discovery for learners, while core workflows have been streamlined to save admin time and improve the learner experience:

• Enhanced Search: Including smarter partial word matching, wildcard searches and spell check suggestions
• More Relevant Content Discovery: Enhanced recommended content engine is now available in the Explore catalogue, plus admins can exclude courses from appearing in catalogue searches without removing them from existing programs
• Mobile-App Search & Discovery: Catalogue filters & search as you type
• Learners now have the flexibility to self-enrol on programs and certifications

For more details on the latest new features visit https://www.totara.com/articles/whats-new-totara-version-19-1.

Dave Cruickshank, Chief Executive Officer of Totara Learning Group, commented:

“At the heart of this release is the ability for L&D to do more, faster, while offering a smoother user experience. We’re excited to embrace the power of AI in our first-generation features – they offer practical and purposeful uses, allowing admins and learners to refine learning and course content in the flow of work.”

“Our workflow enhancements smooth out admin processes, allowing L&D to focus their time on what matters. These features, along with our increased feature release cycle, are indicative of our direction of travel; we’re listening to – and responding to – both customer and partner feedback to refine processes, while continuously exploring innovative ways to enhance the learner experience.”

About Totara

Totara is a global leader in learning management technologies, supporting over 1,500 customers and 21 million users worldwide. Its flagship product, Totara Learn, is a customisable LMS that’s trusted to deliver mission-critical learning for multinational corporations, government agencies, and mid-sized enterprises.

Totara supports a global partner network of 75+ partners, as well as direct teams focused on the UK Government and Healthcare sectors and the US public sector (FedRAMP authorized since August 2023). With offices in the UK, US, and New Zealand, Totara’s team of over 200 continue to drive innovation and growth.

Original source Report a problem