Totara Release Notes

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.4
• Release 19.0.10
• Release 18.23
• Release 17.36
• Release 16.42
• Release 15.48

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.1.4 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-44425 Events displayed on course page setting removed from pathway format course
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45742 Fixed leftover search text after selecting an override approver in approval workflows
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46457 Added field displayattemptstatus to API query mod_scorm_scorm
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute
• Library updates:
• TL-46723 Upgraded scssphp to version 1.12.2.1

Release 19.0.10 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-45921 Fixed exception when cloning an approval workflow with an approval-level-specific notification preference
• TL-45992 Fixed multi-language filtering of organisation and position framework names in self-registration authentication
• TL-46128 Added help text to tenant member upload page to clarify functionality
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-46651 Fixed the supported PostgreSQL database versions listed in the readme file
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 18.23 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links
• TL-42107 Prevented embedded reports from being displayed in "Report table" and "Report graph" blocks

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)
• TL-46355 Removed sesskey from URLs when viewing calendar

Improvements:

• TL-37415 Multi-factor authentication added to the users report source
• TL-46660 Multi-factor authentication is available for all account types

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39366 Added support for "Show origin of language strings" feature to dynamically-generated areas of the site
• TL-39575 Fixed catalog course progress bar returning duplicate data
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-40372 Fixed the missing "Add to admin menu" option on the manage reports page
• TL-40942 Fixed course selection for system users when multi-tenancy and tenant isolation are enabled
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41274 Fixed issue allowing learners to request seminar approval outside the signup period when event role approval is required
• TL-41375 Fixed an error of SAML logout when the remote IdP did not sign logout responses
• TL-41426 Fixed quick-access menu display caching when assigning/unassigning system roles
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42186 Fixed a coding error in manual grading of quizzes with a maximum grade of zero
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43045 Fixed error in pathway courses when an activity module is disabled
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-44172 Fixed issue preventing survey deletion when the associated user is marked as deleted prior to purging
• TL-44408 Fixed multi-select filter help text for customfields
• TL-45015 Fixed assignment submission report to show assignments with no grade requirements
• TL-45721 Fixed program endnote rendering on record of learning when text was created with the Weka editor
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 17.36 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated
• TL-39437 Improved media plugin detection of links

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-38718 Fixed the issue which page scrolling to top when editing quick-access menu
• TL-39201 Improved help text while deleting a tenant category
• TL-39266 Removed encoded entities from site log exports
• TL-39597 Fixed generated passwords not being correctly escaped when uploading new users
• TL-39638 Fixed the broken "Saved searches" modal on the self-registration plugin
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-39822 Added override for "Approval level" in notification preferences form, to allow it to be changed
• TL-40287 Fixed repeated navigation in book activity
• TL-41079 Fixed the IP address lookup feature
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-41991 Fixed seminar booking confirmations not being sent when user signs up for in progress event
• TL-42614 Fixed files with non-standard characters when using nginx file acceleration
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-43721 Fixed issue with learning plan objective scales displaying two languages instead of one when multi-lang content is enabled
• TL-43725 Increased field size for Objective and Priority names to improve multi-language
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute

Release 16.42 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-39730 Site policies now apply the policy language to the entire page when switching policy version
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-46596 Fixed a problem with the guest policies languages picker when multiple languages are used
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Release 15.48 (03rd November 2025)

Important:

• TL-36438 The MongoDB cache store plugin has been deprecated

Security issues:

• TL-39796 Fixed a missing CSRF token when updating all language packs (CVE-2024-25982)
• TL-41086 Fixed change password form being populated despite a validation error
• TL-46013 Hide the course log report from the non-editing trainer (CVE-2025-62436)

Bug fixes:

• TL-35338 Fixed generating duplicate ids on icon preview in multiselect customfield
• TL-41180 Fixed a case where the active framework was reset after changing pages when editing/adding a dynamic audience hierarchy rule
• TL-43455 Fixed incorrect warning about notifications when deleting Seminar Events
• TL-45682 Fixed missing label for EditImageAltTextModal input field by adding aria-label attribute and 'Alt text' language string

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.3
• Release 19.0.9
• Release 18.22
• Release 17.35
• Release 16.41
• Release 15.47

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Please contact Totara or your partner company if you require more detail on any issue.

Kind regards
Release Team

Release 19.1.3 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 19.0.9 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-42583 Fixed integer and decimal custom fields being validated even when not specified when creating and updating positions and organisations via the external API
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-45870 Fixed a crash with the front page login block when various authentication providers were used together
• TL-45994 Fixed manage certification header to use the correct lang string
• TL-46026 Fixed bug where some toast notifications would not show if the message contained multi-byte characters
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors
• TL-45431 Fixed an issue that was causing unwanted horizontal scrolling on pages with tables

Technical changes:

• TL-46189 Fixed PHPUnit checks after upgrading to PHPUnit 10

Release 18.22 (22nd September 2025):

Security issues:

• TL-43155 Improved security when storing credentials for external badge backpack connections
• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Improvements:

• TL-44415 Improved messaging when catalog filter selection changes update the results

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-40919 Fixed the 'Program ID number' filter for the certifications tab of record of learning
• TL-44442 Fixed formatting issue with Weka editor in quiz questions
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-45819 Removed overdue status on record of learning when certification is unassigned
• TL-46063 Fixed a bug when trying to authenticate with an external tool
• TL-46089 Fixed invalid page state when rendering reports with SQL errors

Release 17.35 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning
• TL-46063 Fixed a bug when trying to authenticate with an external tool

Release 16.41 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Bug fixes:

• TL-38610 Fixed warnings thrown by the component loader when open_basedir was configured in PHP
• TL-43927 Fixed an error message that appeared when switching language immediately after using the Log in as feature
• TL-44715 Fixed unexpected competency records being displayed in record of learning

Release 15.47 (22nd September 2025):

Security issues:

• TL-46012 Fixed feedback activity results not always respecting the Separate Groups mode (MSA-25-0039)

Original source Report a problem

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

The change log for TL-42916 has been amended to include the configuration flag that can be used to revert the new behaviour until Totara 20.

We apologise for the omission.

The new change log reads:

TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.

If a site needs the previous behaviour, set

$CFG->revert_TL_42916_until_t20 = 1;

in config.php to temporarily revert this fix.

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.2
• Release 19.0.8
• Release 18.21
• Release 17.34
• Release 16.40
• Release 15.46
• Release 14.51
• Release 13.59

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

• Davo Smith - Synergy Learning - TL-45319

Kind regards

Release Team

Release 19.1.2 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Improvements:

• TL-35330 Added new HR Import setting to allow users to configure the threshold percentage for uploading new records without seeing a confirmation message

Currently a user importing records into the system with fewer records in the
source than in the system and "Source contains all records" set will see a
confirmation dialogue that they will need to approve before the import can take
place.

With this change, a new setting has been added that can be tuned so that the
message only appears when the minimum records threshold percentage is not met.
This will allow users to tacitly accept consequences for uploading fewer records
than there are in the system if "Source contains all records" is set.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible

This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.

• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-44823 Fixed bug where the log store was not using the provided options with SQL Server

The following new settings were added to the external database configuration for
logs:

• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server

The following new settings were added to the external database configuration for
authentication:

• Connection pooling
• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45394 Fixed issue where the downloadable icon was not displaying for all downloadable courses in the Find Learning section of the mobile app

Added the following capabilities to the 'Authenticated user' role for new
installs, matching other module permissions, so that checks for downloadable
activities in the mobile app could be run more accurately prior to enrolment on
the course. If this is functionality you use on an existing site, we recommend
adding the same capabilities:

• mod/scorm:view
• mod/certificate:view

• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45677 Updated mobile language strings to be in line with the app
• TL-45702 Fixed the Excimer purge data failure caused by invalid dates

The Excimer purge date was calculated from the current day. It is now calculated
from the first day of the month to avoid edge cases with invalid dates, such as
the 29th February.

• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token

When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.

• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 19.0.8 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43798 Auto-login as Guest no longer requires the login page guest button to be visible

This fix removes the hidden requirement for the guest button to appear on the
login page for auto-login guest access to work. With this change auto-login
guests can happen without the login page showing the guest sign in button.

• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-44823 Fixed bug where the log store was not using the provided options with SQL Server

The following new settings were added to the external database configuration for
logs:

• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-44835 Fixed bug where Auth DB was not using the provided config options with SQL Server

The following new settings were added to the external database configuration for
authentication:

• Connection pooling
• Connection encryption
• Trust server certificate

These settings will only be applied to Microsoft SQL Server.

• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45677 Updated mobile language strings to be in line with the app
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-45871 Fixed a problem where OAuth provider error messages were lost when Totara tried to fetch an access token

When connecting a system account to an OAuth provider, if the response was not a
200 success status any error message returned would be ignored and a generic
“Could not upgrade oauth token” message was shown. This fix now means a more
specific message is shown regardless if the status is 200 or not, and if
debugging is enabled the provider’s message is shown.

• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 18.21 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Performance improvements:

• TL-45319 Temporary managers are no longer checked with user relationships if the feature is disabled

On a site with a large number of job assignments it can be expensive to check if
there are temporary managers even if the feature is not used.

With this change in place the temporary manager check only occurs if the option
is enabled and at least one temporary manager exists.

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-39781 Fixed program assignment due date changes not being deferred

When a due date is added or updated on a program or certification assignment,
the change will be deferred rather than being applied immediately. This prevents
problems on large sites. This change was applied in a previous ticket in Totara
19.0 and above.

• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-41785 Fixed performance activity notification messages for external participants on participant instance reopening
• TL-42698 Fixed incorrect due date showing on assignment group summary page
• TL-43838 Fixed check for existing records in the record of learning

Fixed a potential concurrency issue while inserting records into table
'dp_record_of_learning', which could conflict if executed at the same time as
the 'Synchronise audience members' scheduled task.

• TL-44750 Added screen reader announcements for grid and explore catalogue result count changes
• TL-45273 Fixed tenant custom footer and email branding still appearing when tenant branding has been disabled
• TL-45445 Added missing language string in reportbuilder
• TL-45542 Fixed notification debugging not being displayed in cron logs
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test
• TL-42574 Added the region name to the 'Add a block' button title

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 17.34 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving
• TL-38420 Added the lti_deployment_id optional parameter to learning tools interoperability login call
• TL-41081 Improved formatting of the event:all_sessions variable in seminar notifications
• TL-45816 Removed the hard-coded expiry date from the job assignment unit test

Contributions:

• Davo Smith - Synergy Learning - TL-45319

Release 16.40 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 15.46 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 14.51 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Bug fixes:

• TL-38044 Fixed an issue where tenant theme custom colours were not saving

Release 13.59 (25th August 2025):

Security issues:

• TL-45367 Fixed multiple XSS vulnerabilities in database activity (CVE-2024-37674)

Additionally, a new capability - mod/data:manage_jstemplate - has been created
to provide a separate level of control for database activity JavaScript template
creation. The JavaScript template allows cross-site scripting and other attacks
by design, and should not be editable by untrusted users.

Sites which require course creators to create and modify database activity
JavaScript templates will need to assign this capability to an appropriate role
or roles in order to keep using the JavaScript template-editing feature.

• TL-45738 Fixed a potential XSS vunerability in Tui core

Original source Report a problem

Release Summary

Hello everyone,

The following versions of Totara have now been released:

• Release 19.1.1
• Release 19.0.7
• Release 18.20
• Release 17.33
• Release 16.39
• Release 15.45
• Release 14.50
• Release 13.58
• Release 12.75
• Release 11.75
• Release 10.77

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

A big thanks to the following people for their contributions to this release:

• Andrew Mansfield at Coretxa - TL-43805
• Michael Geering at Think Learning - TL-42693, TL-42783
• Sasha Anastasi at Catalyst - TL-44716
• Steven Hughes at Think Learning - TL-41289

Kind regards
Release Team

Release 19.1.1 (29th July 2025)

Security issues:

TL-39795 Fixed IDOR on dashboard comments block (CVE-2024-25983)
TL-39918 Removed sesskey from URLs to minimise potential security concerns.
TL-42916 Enforced POST for authentication parameters when using REST webservice protocol

Additionally, a new security check has been introduced to alert site
administrators when XML-RPC or SOAP web service protocols are enabled, as these
are considered insecure. If legacy web services are still required, the REST
protocol is the recommended option. However, please note that web services are
no longer actively maintained and will eventually be deprecated and removed. For
new integrations, it is strongly recommended to use the external API.

TL-43243 Error messages that are not client aware will no longer show in internal GraphQL APIs if debugging is disabled

For internal APIs, to see the full error the site debug must be set to full or
developer level. Otherwise the error message will be hidden unless it’s
considered a client-safe one (such as a validation message).

TL-44472 Removed sesskeys when following links in the database activity module (CVE-2025-3637)
TL-44473 Fixed IDOR in RSS block to allow access to additional RSS feeds (CVE-2025-3636)
TL-45238 Improved course visibility state handling (CVE-2025-49515)
TL-45239 Fixed a DNS rebinding problem with cURL (CVE-2025-49514)
TL-45416 Fixed a user ID enumeration problem in profiles
TL-45433 Fixed the Vimeo metadata fetch script bypassing internal CURL handlers

Performance improvements:

TL-45256 Optimised linked courses subquery to improve performance

This fixes a performance issue on the competencies tab of learning plans, when a
large number of courses were assigned to a competency.

Improvements:

TL-44920 Allowed the API user role to view all course activity types, so they can be returned in API results.

Added capabilities to the ‘apiuser’ role to ensure access to all course
activity types via api endpoints.
For new installations, the ‘apiuser’ role will automatically include these
capabilities.
For existing installations, admins will need to manually assign these
capabilities to the ‘apiuser’ role, to ensure access to all course activity
types via api endpoints.

New capabilities added:

• mod/assign:view
• mod/certificate:view
• mod/data:view
• mod/facetoface:view
• mod/feedback:view
• mod/glossary:view
• mod/lti:view
• mod/quiz:view
• mod/scorm:view

TL-45041 Added support for single tenanted Microsoft Teams integrations

The Microsoft Teams and Microsoft Teams Virtual Meetings plugins within Totara
Suite now support single-tenant Microsoft Entra (Azure AD) applications. Two new
settings — Bot tenant ID and Tenant ID — allow authentication to be scoped
to a specific tenant rather than using the global multi-tenant endpoint.

This change is backwards compatible and requires no action after upgrade unless
you use Azure apps restricted to a single tenant. In that case, you should
follow the instructions available in the public developer documentation for the
[Microsoft Teams|https://totara.atlassian.net/wiki/spaces/DEV/pages/121184874/Setting+up+Microsoft+Teams+integration#Step-2%3A-Create-an-application-in-Azure]
and [Microsoft Teams Virtual Meetings|https://totara.atlassian.net/wiki/spaces/DEV/pages/121185169/Setting+up+Microsoft+Teams+Virtualmeeting+plugin]
plugins respectively.

This change is necessary due to Microsoft ending support for new multi-tenant
Teams bots from 31 July 2025. Existing integrations will continue to function
without modification.

Bug fixes:

TL-35724 Enabled responsive sizing for embedded videos in Weka editor
TL-36963 Fixed SMTP debug messages appearing when sending a test theme email
TL-38525 Fixed a bug where internal URLs were being treated as external URLs when redirecting in the Microsoft Teams application
TL-39309 Fixed text in help message for badges image uploads to only state the accepted format
TL-40084 Fixed permissions checks for the Goal Custom Fields report 'Goal Name' column when viewed by indirect managers
TL-40156 Fixed PHP deprecation warning in format_array_postdata_for_curlcall()
TL-40365 Fixed checks to not display 'Create goal' button when 'Create goal' permission is removed from a user
TL-40821 Prevented "call to action" indicator in reports when user cannot work on a certification
TL-40917 Added required JavaScript to rb_source_cohort_associations so we can POST sesskey correctly
TL-40953 Fixed tenant user managers being unable to view user emails

With this change the tenant participants report now assigns the tenant context
correctly. Additionally custom tenant reports also pass the context along. In
both cases this means the email column will be visible if enabled and the user
has the correct capability.

TL-41243 Allow users to filter session attendance by 'not set' status in Seminar Sign-ups reports
TL-41289 Fixed error when using external logs with no record
TL-42016 Fixed a deprecation notice when a radio form field has no label
TL-42693 Fixed error if renaming file in Totara Forms File Manager
TL-42783 Fixed validation errors in Totara Forms File Manager
TL-43438 Changed forms.scss to restore atto editor textarea elements within totara_form to their default value
TL-43509 The test email results on the SMTP test page will now print escaped, showing the raw email content.
TL-43604 Fixed manual participant selectors for performance activities not being removed on relationship change
TL-43805 Fixed potential returning null by get_source function
TL-43894 Fixed duplication of courses in your library by workspaces
TL-44009 Fixed course images not appearing in the 'Recent files' section of image uploads
TL-44374 Improved accessibility on grid catalogue details panel
TL-44413 Improved screen reader readout for the grid catalog filter options
TL-44424 Fixed default catalogue sorting when multiple languages are enabled
TL-44427 Fixed in-progress course reset for individual users

Users with capability can reset an in-progress course for themselves or other
users. Prior to this patch, this feature inadvertently left course-level
activity completion records in place, causing completion data to appear out of
sync in the completion editor. The bug also meant that learners with a
course-in-progress reset could sometimes complete the course without
re-completing all activities.

This patch also fixes an issue in recent Totara releases that prevented
individual reset of in-progress courses. Bulk course reset ('Reset completions')
remains limited to resetting completed courses only.

TL-44677 Fixed accessibility for the legacy select tree component
TL-44685 Fixed accessibility focus return when 'Catalog share' popover is closed
TL-44689 Improved keyboard accessibility of the view toggle on grid catalogue
TL-44692 Changed HTML tags used \core_user\output\myprofile\renderer to improve accessibility
TL-44716 Fixed a validation problem with IPv6 addresses with a recent PHP update
TL-44748 Fixed lack of contrast on focus state for catalogue pagination and block add buttons
TL-44763 Fixed accessibility compliance for the notification preferences 'Expand All' button
TL-44786 News items in a course is set to the default value when converting to a course format that supports it
TL-44809 Fixed audience visibility settings check for content market place courses
TL-44837 Fixed database enrolment unit test connection to Microsoft SQL Server
TL-44859 Changed the default profile image to improve colour accessibility
TL-45006 Fixed excimer script type for external API
TL-45132 Added accessibility aria popup attribute for cards in explore catalogue
TL-45141 Fixed PHP exception when launching AICC SCORM
TL-45172 Fixed error in Report Builder graphs with aggregated percentage values
TL-45191 Updated the Popover component so that focus now returns to the popover trigger when the popover closes
TL-45192 Fixed missing context error for course_section resolver
TL-45216 Removed condition preventing guests from seeing the catalog block

Guest users should be able to see the catalog block the same way as the catalog
page itself. To revert this change go to the early access settings page and
disable guest_display. In Totara 20, guests will be able to see the block.

TL-45257 Fixed an issue where the Inspire theme custom HTML header and footer content was not being saved properly
TL-45266 Fixed crash when Excimer and 'dbpersist' option are enabled together on PostgreSQL
TL-45306 Fixed deprecation warning being generated in report builder display functions under PHP 8.3
TL-45348 Fixed the wording on the display order help description
TL-41760 Added descriptive labels to 'Add' and 'Remove' buttons in permissions table
TL-41791 Updated logic to apply the correct ARIA role to popovers based on the trigger
TL-42892 Fixed the accessibilty of blocks on the course view page

• The aria-labelledby attribute has been added to the 'pre' tag followed by an 'ul' and 'li' tag, in the
  settings and course navigation blocks.
• The presentation role is now added when generating '/pre' nodes from ajax data
  in the settings block

TL-44833 Improved accessibility for pathway format progress tracker and user toolbar
TL-45262 Removed incorrect aria role from the side panel in Messages

Technical changes:

TL-38262 Improved behat testing accuracy for notifications tests
TL-38359 Fixed a problem when loading relationships via the ORM would not work if no items were found

Recommendations engine:

TL-45560 Updated the docker base image from python:3.11-slim-buster to python:3.11-slim

Buster has reached end-of-life and the repositories were no longer accessible
causing problems when starting the docker image. With this change we no longer
tie specifically to a debian version, instead use the most valid/latest python
3.11 slim image.

This only impacted newly created instances. However if you’ve been running the
service for a while, we recommend rebuilding it to update your OS.

Contributions:

• Andrew Mansfield at Coretxa - TL-43805
• Michael Geering at Think Learning - TL-42693, TL-42783
• Sasha Anastasi at Catalyst - TL-44716
• Steven Hughes at Think Learning - TL-41289

Original source Report a problem

Hello everyone,

Release 3.1.0 (138) is available in both app stores and to partners through source code repositories.

Totara Mobile App Changelog

Release 3.1.0 (11th July 2025)

Improvement

• [MOB-1393] Improving Usability on the Find Learning Page - Search
• [MOB-1390] Improving Usability on the Find Learning Page - Progress Bar
• [MOB-1305] Improving Usability on the Find Learning Page - Filter
• [MOB-1378] Mobile Offline Support - POC 1
• [MOB-1382] POC 1 - Offline supported indicator for courses on the course page
• [MOB-1379] POC 1 - Download an entire course
• [MOB-1384] POC 1 - User can remove a downloaded course
• [MOB-1380] POC 1 - User can work on the downloaded Label activities offline
• [MOB-1381] POC 1 - Individual courses progress sync manually
• [MOB-1385] SPIKE Investigate how to support attachments in Label activities for offline use
• [MOB-1406] Manual Sync of All Progress
• [MOB-1417] Supporting Page for Offline Uses
• [MOB-1407] Download Summary
• [MOB-1412] Supporting Certificate for Offline Uses
• [MOB-1473] Ensure "Require View" completion condition is supported
• [MOB-1411] Handling Download Size & Storage Limitations
• [MOB-1456] Label Activity Download Icon
• [MOB-1416] Supporting File for Offline Uses
• [MOB-1449] Handle upgrade path for existing users with downloaded activities only
• [MOB-1457] Include SCORM in download entire course
• [MOB-1478] Add a partial download icon state
• [MOB-1408] Indicating Courses Contains Offline Supported Activities

Bug

• [MOB-1444] Explore catalogue showing internal server error in appetize
• [MOB-1452] Mobile - Blank page after marking a course as completed
• [MOB-1470] App language customisation failing to consistently load
• [MOB-1455] SCORM landscape view in mobile app not supported in some devices

Upgraded dependencies

• @gorhom/bottom-sheet: ^4 -> ^5.1.6
• @sentry/react-native: ~6.3.0 -> ~6.10.0
• expo: ~52.0.41 -> ~52.0.47
• expo-build-properties: ^0.13.2 -> ~0.13.3
• expo-dev-client: ~5.0.15 -> ~5.0.20
• expo-splash-screen: ~0.29.22 -> ~0.29.24
• expo-system-ui: ~4.0.8 -> ~4.0.9
• react-native: 0.76.7 -> 0.76.9
• react-native-webview: ^13.8.6 -> 13.10.4

New dependencies

• react-native-file-viewer: ^2.1.5
• react-native-marked: ^6.0.7
• react-native-mmkv: ^2.12.2
• @apollo/server: ^4.11.0
• @faker-js/faker: ^9.6.0
• @graphql-tools/schema: ^10.0.7
• @testing-library/jest-dom: ^6.6.3
• cors: ^2.8.5 - fishery: ^2.2.3

Removed dependencies

• react-native-orientation-locker: ^1.7.0
• @graphql-tools/mock: ^9.0.3
• apollo-server-express: ^3.13.0
• detox: ^20.25.1

Kind regards,
Fei Gao

Original source Report a problem

Totara Version 19.1 introduces 4 new AI features that drive L&D efficiency, plus enhanced search and content discovery and streamlined workflows.

London, July 08, 2025 – Totara has announced the release of Version 19.1 (V19.1) of its platform, introducing a host of new AI features that support admins in the flow of work and helps learners create effective user-generated content.

This mid-year release signals a strategic shift from an annual release cadence toward more frequent updates, accelerating the rollout of new platform capabilities. Alongside the AI features, V19.1 enables learners to search and discover relevant learning content more effectively, including in the mobile app catalogue.

AI Features that Drive L&D Efficiency and Boost Collaborative Learning

The new AI-powered tools assist system administrators in the flow of work, creating and refining text and images when building learning content. Learners can benefit from these features when creating their own resources.

• AI Writing assistant: Create text using prompts, or summarise lengthy text and refine draft copy.
• AI Image generator: Create images for courses and resources in the flow of work.
• AI SMART goal assistant: Create well-structured SMART goals that aid personal development.
• AI Knowledge check-in: Create informal quizzes on resources that encourage self-directed learning and knowledge reinforcement.

Enhanced Content Discovery and Smoother Admin Workflows

The latest updates focus on improved content discovery for learners, while core workflows have been streamlined to save admin time and improve the learner experience:

• Enhanced Search: Including smarter partial word matching, wildcard searches and spell check suggestions
• More Relevant Content Discovery: Enhanced recommended content engine is now available in the Explore catalogue, plus admins can exclude courses from appearing in catalogue searches without removing them from existing programs
• Mobile-App Search & Discovery: Catalogue filters & search as you type
• Learners now have the flexibility to self-enrol on programs and certifications

For more details on the latest new features visit https://www.totara.com/articles/whats-new-totara-version-19-1.

Dave Cruickshank, Chief Executive Officer of Totara Learning Group, commented:

“At the heart of this release is the ability for L&D to do more, faster, while offering a smoother user experience. We’re excited to embrace the power of AI in our first-generation features – they offer practical and purposeful uses, allowing admins and learners to refine learning and course content in the flow of work.”

“Our workflow enhancements smooth out admin processes, allowing L&D to focus their time on what matters. These features, along with our increased feature release cycle, are indicative of our direction of travel; we’re listening to – and responding to – both customer and partner feedback to refine processes, while continuously exploring innovative ways to enhance the learner experience.”

About Totara

Totara is a global leader in learning management technologies, supporting over 1,500 customers and 21 million users worldwide. Its flagship product, Totara Learn, is a customisable LMS that’s trusted to deliver mission-critical learning for multinational corporations, government agencies, and mid-sized enterprises.

Totara supports a global partner network of 75+ partners, as well as direct teams focused on the UK Government and Healthcare sectors and the US public sector (FedRAMP authorized since August 2023). With offices in the UK, US, and New Zealand, Totara’s team of over 200 continue to drive innovation and growth.

Original source Report a problem

AI plugins that are now available

• AI Form Assistant
• AI Goal Wizard
• AI Knowledge Check-in
• AI Image Generation

Documentation and Resources

• Totara Community: What's new in Totara v19.1.0
• Totara Help: Enabling AI features
• Developer documentation: AI-powered features technical documentation
• Developer documentation: AI integrations and architecture

Alliance Partners

Alliance Partners with existing Git access can now download these plugins.
Information for partners on how to access these plugins can be found in the Technical and Product updates workspace.
For assistance obtaining access or any additional technical queries, please open a help desk ticket.

Thank you,

Sam Hemelryk

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.0.6
• Release 18.19
• Release 17.32
• Release 16.38
• Release 15.44
• Release 14.49
• Release 13.57
• Release 12.74
• Release 11.74
• Release 10.76
• Release 9.82

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards Release Team

Release 19.0.6 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)
• TL-45250 Fixed external API's disable introspection setting

Performance improvements:

• TL-43676 Improved performance of menu item checks for course category and content marketplace administration

Bug fixes:

• TL-40822 Fixed an issue where the seminar signups report was containing duplicate records for session attendance

• TL-41712 Fixed page layout in some situations with the Pathway course format

• TL-44289 Fixed an issue on some browsers where reloading the page would incorrectly show a form resubmission warning

• TL-44376 Fixed an accessibility issue by removing menu bar roles on the legacy primary navigation

• TL-44377 Fixed a bug when SAML metadata was signed

               In previous versions if you enabled the “Sign metadata” option, the
               signature would be applied and then the metadata would be formatted. The act of
               formatting the metadata though would change the signature and invalidate it.
  
               With this fix when the metadata is signed we no longer format it for visibility,
               leaving it as it was exactly when signed.
  

• TL-44597 Updated JMeter script

• TL-44679 Added missing ARIA attributes on grid catalog details popover

• TL-44788 Added userdata classes for AI interactions

• TL-45007 Fixed a problem when installing Totara without the openssl extension

• TL-45036 Courses set to the Single Activity format are now available in the Recently Viewed block

• TL-45125 Updated mobile language strings to match current app requirements

• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

• TL-44378 Changed the parent container role from 'log' to 'list' to properly contain message items with role 'listitem'

• TL-44380 Updated ARIA attributes for message, notification, and admin menu popovers

Technical changes:

• TL-43993 New OAuth2 issuers will be encrypted when created
• TL-44831 Added Encrypt & TrustServerCertificate options for MSSQL PHPUnit tests

Release 18.19 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Performance improvements:

• TL-43676 Improved performance of menu item checks for course category and content marketplace administration

Bug fixes:

• TL-40822 Fixed an issue where the seminar signups report was containing duplicate records for session attendance

• TL-44376 Fixed an accessibility issue by removing menu bar roles on the legacy primary navigation

• TL-44377 Fixed a bug when SAML metadata was signed

               In previous versions if you enabled the “Sign metadata” option, the
               signature would be applied and then the metadata would be formatted. The act of
               formatting the metadata though would change the signature and invalidate it.
  
               With this fix when the metadata is signed we no longer format it for visibility,
               leaving it as it was exactly when signed.
  

• TL-44679 Added missing ARIA attributes on grid catalog details popover

• TL-44788 Added userdata classes for AI interactions

• TL-45007 Fixed a problem when installing Totara without the openssl extension

• TL-45125 Updated mobile language strings to match current app requirements

• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

• TL-44378 Changed the parent container role from 'log' to 'list' to properly contain message items with role 'listitem'

• TL-44380 Updated ARIA attributes for message, notification, and admin menu popovers

Technical changes:

• TL-43993 New OAuth2 issuers will be encrypted when created

Release 17.32 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Bug fixes:

• TL-40822 Fixed an issue where the seminar signups report was containing duplicate records for session attendance
• TL-45125 Updated mobile language strings to match current app requirements
• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

Release 16.38 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Bug fixes:

• TL-40822 Fixed an issue where the seminar signups report was containing duplicate records for session attendance
• TL-45125 Updated mobile language strings to match current app requirements
• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

Release 15.44 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Bug fixes:

• TL-45125 Updated mobile language strings to match current app requirements

Release 14.49 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Bug fixes:

• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

Release 13.57 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Bug fixes:

• TL-44375 Fixed a bug where the user profile picture was unintentionally visible to screen readers

Release 12.74 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Release 11.74 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Release 10.76 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Release 9.82 (25th June 2025)

Security issues:

• TL-44468 Backported MDL-84473: Fixed a security problem with EQUELLA repository (CVE-2025-3642)
• TL-45240 Disabled caching on the login page (CVE-2025-49513)

Original source Report a problem

Hello everyone,

The following versions of Totara have now been released:

• Release 19.0.5
• Release 18.18
• Release 17.31
• Release 16.37
• Release 15.43
• Release 14.48
• Release 13.56
• Release 12.73
• Release 11.73
• Release 10.75
• Release 9.81

These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.

Kind regards
Release Team

Release 19.0.5 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Performance improvements:

• TL-43188 Improved the performance for mobile completed learning API calls

Previously the completed learning API was fetching the entirety of a users
completed learning, before combining learning types, and paginating. This could
potentially lead to a performance hit for users with large amounts of completed
learning, so we have limited this to the 100 most recently completed items of
each type.

Improvements:

• TL-44127 Wrapped update_certification_task operations in a try-catch and transaction block

Previously, the totara_certification\task\update_certification_task scheduled
task would stop processing if a failure occurred for one record. It would not
process the following records.

The next time the task ran, it would try to process the same record again and
possibly fail again. As the records are probably ordered, it means that the
records following the failing record would never be processed.

This patch wraps the operations which might fail in a transaction and catch any
exceptions and continues to the next record.

Bug fixes:

• TL-40320 Fixed error on My Goals page caused by duplicates created when 2 operations ran at same time
• TL-40827 Fixed learning plan not respecting the global "Default role" or "Enrolment period" settings for new instances
• TL-41033 Fixed error when showing custom profile fields that are both locked and required
• TL-41222 Fixed an accessibility issue where tabbing would move focus incorrectly on an un-contained dropdown
• TL-43569 Excluded instance results where the user does not have access from being shown on the performance activity 'Select participants' page
• TL-43825 Fixed rendering of special characters in catalogue block title
• TL-44339 Fixed an accessibility issue with colour contrast in the current learning block

Implemented consistent white background for "Sets" with a faint grey border.

• TL-44495 Fixed an issue with the positioning of the user tour on inspire theme navigation items

Also added a border radius to the tour popover.

• TL-44532 Fixed a bug where the uniform FormField component would have an empty aria-describedby attribute
• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

• TL-44698 Fixed require passing grade completion criteria not being checked in external tool
• TL-44712 Fixed filestore cache so when a file cannot be unserialised it will log a debug message instead of crashing the entire site
• TL-44742 Fixed a bug where users who login via SAML were unable to launch LTI activities
• TL-40292 Improved accessibility on assignment submission table

Release 18.18 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Improvements:

• TL-44127 Wrapped update_certification_task operations in a try-catch and transaction block

Previously, the totara_certification\task\update_certification_task scheduled
task would stop processing if a failure occurred for one record. It would not
process the following records.

The next time the task ran, it would try to process the same record again and
possibly fail again. As the records are probably ordered, it means that the
records following the failing record would never be processed.

This patch wraps the operations which might fail in a transaction and catch any
exceptions and continues to the next record.

Bug fixes:

• TL-40320 Fixed error on My Goals page caused by duplicates created when 2 operations ran at same time
• TL-40827 Fixed learning plan not respecting the global "Default role" or "Enrolment period" settings for new instances
• TL-41033 Fixed error when showing custom profile fields that are both locked and required
• TL-43569 Excluded instance results where the user does not have access from being shown on the performance activity 'Select participants' page
• TL-44532 Fixed a bug where the uniform FormField component would have an empty aria-describedby attribute
• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

• TL-44698 Fixed require passing grade completion criteria not being checked in external tool
• TL-44712 Fixed filestore cache so when a file cannot be unserialised it will log a debug message instead of crashing the entire site
• TL-44742 Fixed a bug where users who login via SAML were unable to launch LTI activities
• TL-40292 Improved accessibility on assignment submission table

Release 17.31 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Bug fixes:

• TL-40320 Fixed error on My Goals page caused by duplicates created when 2 operations ran at same time
• TL-40827 Fixed learning plan not respecting the global "Default role" or "Enrolment period" settings for new instances
• TL-41033 Fixed error when showing custom profile fields that are both locked and required
• TL-41074 Excluded instance results the user does not have access to shown on the performance activity 'Select participants' page
• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

• TL-40292 Improved accessibility on assignment submission table

Release 16.37 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Bug fixes:

• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

Release 15.43 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Bug fixes:

• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

Release 14.48 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Bug fixes:

• TL-44653 Fixed a LTI (external tool) authentication issue with JWT

Fixed JWT handling for LTI (Learning Tools Interoperability) authentication to
support strict encoding.

Release 13.56 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Release 12.73 (23rd May 2025):

Security issues:

• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Release 11.73 (23rd May 2025):

Security issues:

• TL-44467 Fixed a potential cross-site scripting situation (CVE-2025-3643)
• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Release 10.75 (23rd May 2025):

Security issues:

• TL-44467 Fixed a potential cross-site scripting situation (CVE-2025-3643)
• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Release 9.81 (23rd May 2025):

Security issues:

• TL-44467 Fixed a potential cross-site scripting situation (CVE-2025-3643)
• TL-44469 Fixed an issue with Dropbox and serialisation (CVE-2025-3641)

Original source Report a problem