CeSGO Dashboard 2.1.0

Integrating data and project lifecycle

Projects service - News / releases

Kanboard 1.2.52

Release date: 2026-04-05
  • Enforce comment visibility rules for public and unauthenticated users:
    • Restricted comments are no longer exposed in public task views.
    • Users cannot create comments with a visibility level higher than their role.
  • Revoke public access tokens for inactive users.
  • Use timing-safe comparisons (hash_equals) for API and webhook token validation to mitigate timing attacks.
  • Replace raw SQL interpolation with parameterized queries in:
    • Task queries (TaskFinderModel)
    • iCalendar export conditions
  • Validate task ownership in bulk operations:
    • Ensure tasks belong to the specified project before applying bulk changes.

Kanboard 1.2.51

Release date: 2026-03-07

Security fixes

  • Add SSRF protection for webhook notifications with the new configuration option WEBHOOK_ALLOW_PRIVATE_NETWORKS
  • Prevent unsafe deserialization in the database session handler
  • Restrict invite signup input to expected fields only to prevent parameter injection
  • Add missing permission checks in several API procedures
  • Validate user external ID values
  • Check file attachment ownership before deletion
  • Prevent SSRF bypasses by controlling HTTP client redirect behavior

Improvements

  • Improve accessibility by increasing text/background contrast in the light theme

Dependencies and build

  • Upgrade PHPUnit to version 12
  • Update several GitHub Actions and dependencies
  • Update dependency pimple/pimple to version 3.6.2

Kanboard 1.2.50

Release date: 2026-02-08

Security Improvements

  • Added missing authorization checks in multiple controllers.
  • Enforced project-level authorization checks where they were missing.
  • Improved plugin security by enforcing installer checks in PluginController actions.
  • Enabled Parsedown safe mode to add an extra layer of protection to Markdown rendering against unsafe content.
  • Added CSRF protection for project role changes and enforced JSON content type for related endpoints.

Maintenance & Tooling

  • Updated the PHPUnit version used for the test suite.
  • Switched the GitHub workflow to use the php-cs-fixer Docker image instead of installing it via Composer.

Dependencies

  • Updated pimple/pimple from version 3.5.0 to 3.6.1.

Kanboard 1.2.49

Release date: 2026-01-07

Security

  • Fixed an LDAP injection issue by properly escaping placeholders in LDAP queries.
  • Prevented protocol-relative URLs (//example.com) from being used as login redirect targets.
  • Added a new TRUSTED_PROXY_NETWORKS configuration option to explicitly define trusted reverse proxy networks.
  • Introduced an optional security feature to block private network access when fetching external web links (configurable).

Improvements

  • Restored Ctrl + Enter keyboard shortcut for submitting the task creation form.
  • Updated translations for multiple languages.

Maintenance

  • Added a GitHub Actions workflow to mirror the repository to Codeberg.
  • Removed an outdated tests/Dockerfile.
  • Regenerated Composer autoload files.

Build & Dependencies

  • Updated Alpine Linux base image from 3.22 to 3.23.

  • Updated GitHub Actions dependencies:

    • actions/checkout from v5 to v6
    • actions/upload-artifact from v4 → v5 → v6

Kanboard 1.2.48

Release date: 2025-10-18
  • fix: handle Windows-style paths in sanitize_path function
  • feat(locale): added missing German translation phrases
  • feat(locale): added Arabic translation
  • feat(api): add board, rss and ical public links to the API response
  • feat: display sub-tasks completion in numbers (x/y) alongside percentage
  • feat: add basic support for right-to-left (RTL) languages
  • chore: update .gitattributes to ignore additional configuration files
  • build(deps): bump actions/setup-python from 5 to 6
  • build(deps): bump actions/checkout from 4 to 5