• Milestone

This is a security-focussed release for FreshRSS 1.26.x, addressing several CVEs (thanks @Inverle) 🛡

A few highlights ✨:

• Implement JSON string concatenation with & operator
• Support multiple JSON fragments in HTML+XPath+JSON mode (e.g. JSON-LD)
• Multiple security fixes with CVEs
• Bug fixes

Notes ℹ:

• Favicons will be reconstructed automatically when feeds gets refreshed. After that, you may need to refresh your Web browser as well.

This release has been made by @Alkarex, @Frenzie, @hkcomori, @loviuz, @math-GH
and newcomers @dezponia, @glyn, @Inverle, @Machou, @mikropsoft

Full changelog:

• Features
  • Implement JSON string concatenation with & operator #7414
  • Support multiple JSON fragments in HTML+XPath+JSON mode #7369
• Bug fixing
  • Fix escaping of tag search #7468
  • Fix CLI parsing of Boolean flags #7430
  • Fix API for labels with slash #7437
• SimplePie
  • Fix support for feeds with XML preamble + DTD #7515, simplepie#914
  • Merged upstream #7434
    • Upstream fix simplepie#912
• Security
  • Disallow <iframe srcdoc=""> #7494, CVE-2025-32015
  • Disallow <button formaction=""> #7506
  • Improve favicons hash to avoid favicon pollution #7505, CVE-2025-46339
  • Add Content-Security-Policy HTTP headers to favicons #7471, CVE-2025-31136
  • Web scraping forbid security HTTP headers in cURL #7496, CVE-2025-46341
  • Add some HTTP headers Referrer-Policy: same-origin #6303, #7478
  • Use HTTP POST for logout #7489, CVE-2025-31482
  • Make update URL read-only #7477
  • Fix for extensions: Restrict valid paths in ext.php #7479, CVE-2025-31134
  • Fix for extensions: Secure serving of user files #7495
• Extensions
  • Fix file serving for symlinked extensions #7545
  • Catch extension exceptions in override #7475
  • JavaScript: new event to detect context loaded #7452
• Deployment
  • Apache: add check for mod_filter to ensure that AddOutputFilterByType works #7419
• UI
  • Accessibility: Add :focus style to some dropdown menus #7491
  • New size option for the Mark as read button #7314
  • Update bcrypt.js from 2.4.4 to 3.0.2 #7449
  • Various UI and style improvements: #7168, #7526
• I18n
  • Rework credits #7426
  • Improve French #7432
  • Improve Italian #7540
  • Improve Polish #7508
  • Improve Turkish #7442
• Misc.
  • Improve PHP code #7431, #7488, #7534
  • Update dev dependencies #7480, #7482, #7483,
    #7484, #7485, #7486,
    #7487, #7533, #7535,
    #7536, #7537, #7538

• Milestone

This is a bugfix release for 1.26.0, addressing some regressions 🐛

A few highlights ✨:

• Fix regression with cURL HTTP headers breaking conditional HTTP requests
• Fix regression with saving states of user queries
• Fix regression with dynamic OPML

This release has been made by @Alkarex, @FromTheMoon85, @marienfressinaud, @math-GH
and newcomers @abackstrom, @BryanButlerGit, @culbrethj, @EricDiao, @Karvel, @ViPeR5000

Full changelog:

• Features
  • Add cURL version to page about system information #7409
• Bug fixing
  • Fix regression with cURL HTTP headers breaking conditional HTTP requests #7403, FreshRSS/simplepie#33
  • Fix regression with saving states of user queries #7400
  • Fix regression with dynamic OPML #7394
  • Fix update of the user’s last activity on login action #7406
  • Fix setting category option Maximum number of articles to keep per feed #7416
  • Fix priority field when processing a new feed from an extension #7354
• Deployment
  • Fix regression with 64-bit timestamps on 32-bit platforms #7375
  • Fix back-compatibility with cURL 7.51 (we require cURL 7.52+ for CURLPROXY_HTTPS) #7409
• UI
  • Use case-insensitive sort for categories #7402
  • Improve dark mode of Origine theme #7413
  • Added API password indicator #7340
• I18n
  • Fix (es, fa, sk): do not translate XPath code #7404
  • Fix date bug in Finish #7423
  • Add Portuguese from Portugal #7329
  • Improve Hungarian #7391
• Misc.
  • Improve PHP code #7339
  • Update dev dependencies #7386, #7387, #7388

• Milestone

In this release, we have restarted to focus on features. A long-awaited feature has been added, namely sorting articles by various criteria: received date (existing, default), publication date, title, link, random.

A few highlights ✨:

• Add order-by options to sort articles by received date (existing, default), publication date, title, link, random
• Allow searching in all feeds, also feeds only visible at category level with &get=A, and also those archived with &get=Z
  • UI accessible from user-query view
• New shortcuts for adding user labels to articles
• Several improvements and bug fixes

This release has been made by @Alkarex, @b-reich, @hkcomori, @math-GH, @UserRoot-Luca
and newcomers @a6software, @aftix, @bl00dy1837, @brtmax, @Roan-V, @ShaddyDC, @UncleArya

Full changelog:

• Features
  • Add order-by options to sort articles by received date (existing, default), publication date, title, link, random #7149
  • Allow searching in all feeds, also feeds only visible at category level with &get=A, and also those archived with &get=Z #7144
    • UI accessible from user-query view
  • Add search operator intext: #7228
  • New shortcuts for adding user labels to articles #7274
  • New About page with system information #7161
• Bug fixing
  • Fix regression denying access to app manifest #7158
  • Fix unwanted feed description updates #7269
  • Ensure no PHP buffer for SQLite download (some setups would first put the file in memory) #7230
  • Fix XML encoding regression in HTML+XPath mode #7345
  • Improve cURL proxy options and fix some constants #7231
  • Fix UI of global view unread articles counter #7247
  • Hide base theme in carrousel #7234
• Deployment
  • Reduce superfluous Docker builds #7137
  • Docker default image (Debian 12 Bookworm) updated to PHP 8.2.26 and Apache 2.4.62
  • Docker alternative image (Alpine 3.21) updated to PHP 8.3.16
• UI
  • Add footer icons to reader view #7133
  • Remove local reference to font Open Sans to avoid bugs with some local versions #7215
  • Improve stats page layout #7243
  • Smaller mark as read button in mobile view #5220
  • Add CSS class to various types of notifications to allow custom styling #7287
  • Various UI and style improvements: #7162, #7268
    Security
  • Better authorization label for OIDC in the UI #7264
  • Allow comments in force-https.txt #7259
• I18n:
  • Improve German #7177, #7275, #7278
  • Improve Japanese #7187, #7195, #7332
• Misc.
  • Improve PHP code #7191, #7204
    • Upgrade to PHPStan 2 #7131, #7164, #7224,
      #7270, #7281, #7282
  • Update to CssXPath 1.3.0 (no change) #7211
  • Update dev dependencies #7165, #7166, #7167,
    #7279, #7280, #7283,
    #7284, #7285, #7347
  • Update GitHub Actions to Ubuntu 24.04 #7207