Releases: linuxserver/docker-hedgedoc
1.10.6-ls182
c486103
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.6-ls182/index.html
LinuxServer Changes:
Full Changelog: 1.10.6-ls181...1.10.6-ls182
Remote Changes:
Security fixes
This release contains two medium severity security fixes:
- CVE-2026-25642 reports a bug where security headers for upload files were not set correctly.
- GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files.
Thanks to @HUSEYNKHANLI and @drkim-dev for reporting!
Maintenance
- Dependency updates
- Enhancements in the documentation at docs.hedgedoc.org
Contributors
- xenein (#6322)
1.10.6-ls181
da4563b
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.6-ls181/index.html
LinuxServer Changes:
Full Changelog: 1.10.5-ls180...1.10.6-ls181
Remote Changes:
Security fixes
This release contains two medium severity security fixes:
- GHSA-x74j-jmf9-534w reports a bug where security headers for upload files were not set correctly.
- GHSA-672m-p72w-gw28 reports potential security issues with limited script execution in uploaded SVG files.
Thanks to @HUSEYNKHANLI and @drkim-dev for reporting!
Maintenance
- Dependency updates
- Enhancements in the documentation at docs.hedgedoc.org
Contributors
- xenein (#6322)
1.10.5-ls180
e63317a
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls180/index.html
LinuxServer Changes:
Full Changelog: 1.10.5-ls179...1.10.5-ls180
Remote Changes:
This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.
Bugfixes
- Fix the bundled healthcheck in the docker container
1.10.5-ls179
aca957a
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls179/index.html
LinuxServer Changes:
Full Changelog: 1.10.5-ls178...1.10.5-ls179
Remote Changes:
This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.
Bugfixes
- Fix the bundled healthcheck in the docker container
1.10.5-ls178
f041348
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls178/index.html
LinuxServer Changes:
Full Changelog: 1.10.5-ls177...1.10.5-ls178
Remote Changes:
This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.
Bugfixes
- Fix the bundled healthcheck in the docker container
1.10.5-ls177
13d9713
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.5-ls177/index.html
LinuxServer Changes:
Full Changelog: 1.10.4-ls176...1.10.5-ls177
Remote Changes:
This release is just a fix for the docker container. It does not contain any
changes to HedgeDoc itself.
Bugfixes
- Fix the bundled healthcheck in the docker container
1.10.4-ls176
71f4511
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.4-ls176/index.html
LinuxServer Changes:
Full Changelog: 1.10.3-ls175...1.10.4-ls176
Remote Changes:
Security fixes
This release contains two low severity security fixes:
- GHSA-gmgw-rcmh-7x47 reports potential cross-site side-effects due to not applying sandboxing to iframes.
- GHSA-6wm6-3vpq-6qvv reports a possible CSRF vulnerability when using certain social login providers because the
stateparameter is not used and checked.
Enhancements
- Add
enableUploads(CMD_ENABLE_UPLOADS) config option to restrict uploads toregisteredusers,allusers or
noneto completely disable uploads. - Allow links to protocols such as xmpp, webcal or geo
- Switch from deprecated shortid to nanoid module, with 10 character long aliases in "public" links
- Ensure compatibility with Node 24
- Protect user history from accidental or malicious deletion by adding a CSRF-like token
- Many enhancements in the documentation at docs.hedgedoc.org
Bugfixes
- Ignore the healthcheck endpoint in the "too busy" limiter
- Send the referrer origin for YouTube embeddings due to their requirement
- Force kill the server after a timeout when waiting for the realtime server to close connections on shutdown
- Secure iframes with
credentiallessandsandboxattributes - Fix regexes for
[time=...],[name=...]and[color=...]shortcodes in lists - Use
stateparameter for OAuth2 flows and PKCE where applicable
Node compatibility
- Support for Node 24 was verified. The docker image now uses Node 24 as its base image.
Contributors
- Nora Matthias Schiffer (#6096)
- 4censord (#6102)
- Zachery Faria (#6105)
- pl7ofit (#6106)
- Lars Kiesow (#6107)
- Kim Brose (#6114)
- Achilleas Pipinellis (#6119)
- Andreas Boesen (#6148, #6149)
- Thary (#6155)
1.10.3-ls175
a7b7968
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls175/index.html
LinuxServer Changes:
Full Changelog: 1.10.3-ls174...1.10.3-ls175
Remote Changes:
Security fixes
This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.
See CVE-2025-32391 for more details
Enhancements
- Add config options
CMD_SAML_WANT_ASSERTIONS_SIGNEDandCMD_SAML_WANT_AUTHN_RESPONSE_SIGNEDfor SAML auth, since
some instances didn't comply with the new defaults of@node-saml/passport-saml
1.10.3-ls174
22ae855
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls174/index.html
LinuxServer Changes:
Full Changelog: 1.10.3-ls173...1.10.3-ls174
Remote Changes:
Security fixes
This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.
See CVE-2025-32391 for more details
Enhancements
- Add config options
CMD_SAML_WANT_ASSERTIONS_SIGNEDandCMD_SAML_WANT_AUTHN_RESPONSE_SIGNEDfor SAML auth, since
some instances didn't comply with the new defaults of@node-saml/passport-saml
1.10.3-ls173
618d79e
LinuxServer-CI
LinuxServer.io CI
CI Report:
https://ci-tests.linuxserver.io/linuxserver/hedgedoc/1.10.3-ls173/index.html
LinuxServer Changes:
Full Changelog: 1.10.3-ls172...1.10.3-ls173
Remote Changes:
Security fixes
This release fixes a security issue of a possible XSS exploit which can be planted via a malicous SVG file upload.
See CVE-2025-32391 for more details
Enhancements
- Add config options
CMD_SAML_WANT_ASSERTIONS_SIGNEDandCMD_SAML_WANT_AUTHN_RESPONSE_SIGNEDfor SAML auth, since
some instances didn't comply with the new defaults of@node-saml/passport-saml