Paperless-ngx

A vulnerability in Paperless-ngx allows attackers to access documents through the API even when remote user API access is explicitly disabled, potentially exposing sensitive document contents.

In Paperless-ngx, logged-in users can access files they don't have permission for through a bulk download feature, leading to unauthorized file access.

Paperless-ngx contains two vulnerabilities that allow authenticated users to inject malicious scripts: through storage path settings or by uploading a manipulated SVG logo file. These scripts can then execute in other users' browsers.

A security vulnerability in Paperless-ngx's webhook functionality allows attackers to bypass internal network access restrictions using DNS rebinding attacks, potentially enabling access to internal systems despite security controls.

A vulnerability in Paperless-ngx allows authenticated users to create malicious regular expressions in tags or correspondents that cause extreme CPU usage during document processing, leading to complete service failure.

A vulnerability in Paperless-ngx allows attackers to store malicious code in metadata like tags or document types that then executes when other users view the affected interface.

A security flaw in Paperless-ngx allows authenticated users to write files to arbitrary locations on the filesystem, including system directories, due to insufficient path validation in the Storage Path feature.

A vulnerability in Paperless-ngx allows authenticated users without proper permissions to upload and process documents, even when they should only have read-only access.

In Paperless-ngx, users with document editing permissions can change the document's owner even though they shouldn't have this privilege.

A security vulnerability in Paperless-ngx allows any authenticated user to read contents of other users' documents and extract user information, despite lacking proper permissions.

A vulnerability in Paperless-ngx allows users to access other users' email passwords by exploiting the email account test function with foreign account IDs without proper permission checks.

A vulnerability in Paperless-ngx allows authenticated users to create public links for any documents, even those they lack permission to view, potentially exposing confidential content without authorization.

A vulnerability in Paperless-ngx allows authenticated users with user-adding permissions to create superuser accounts through a type coercion flaw, enabling them to escalate their privileges beyond intended access levels.

A vulnerability in Paperless-ngx allows authenticated users to view other users' email account metadata and email rules through the global search function, even when they shouldn't have permission to access this information.

A vulnerability in Paperless-ngx allows users with delete permissions to remove administrator accounts even though they are not administrators themselves, due to faulty permission checking when deleting user accounts.

Major beta release introducing AI features, remote OCR, document versioning, and new search backend. Contains multiple breaking changes including removal of encryption support, API v1 compatibility, Python 3.10 support, and database migration restructuring. Significant upgrade requiring careful migr

Security patch release fixing authentication endpoint vulnerabilities and mail account enumeration issues. Also includes fixes for custom field query events and API notes endpoint validation. Upgrade recommended for all users due to security fixes.

Bug fix release addressing permissions handling for non-owners, duplicate tag ID prevention, workflow tag processing, share link access controls, document ordering consistency, email correspondent matching defaults, and date field validation improvements.

Bug fix release addressing search suggestion visibility, permission enforcement for document searches and mail rule account attachments, and validation of document link targets.

Security patch release fixing workflow filename clobbering vulnerability, along with improvements to file handling, authentication scope, API documentation, and dark mode UI elements.

Security patch release addressing vulnerability GHSA-59xh-5vwx-4c4q along with UI fixes for dark mode dropdown colors, tag display wrapping on small cards, dropdown selection behavior, and database filename handling during workflow actions.

Bug fix release addressing storage path template issues from v2.20.7, including fixes for Jinja template string handling, tag document count ordering, and database filename field path limits. Users with affected storage paths should run the document_renamer command after updating.

Security patch release addressing vulnerability GHSA-386h-chg4-cfw9, plus fixes for configuration option reset functionality and tag page count display issues.

Security patch release addressing vulnerability GHSA-7qqc-wrcw-2fj9, recommended for all users to upgrade immediately.

Security release that restricts filename template rendering context, potentially breaking templates using undocumented document properties. Also fixes user interface styling, Docker classifier command, and improves performance for large installations.

Security patch release addressing two security vulnerabilities with fixes for nested tag extraction, note deletion prevention, performance improvements for tree nodes, date calculation corrections, rootless management script issues, and field override problems.

Minor bug fix release addressing UI display issues with long tag names and workflow action ordering. Improves horizontal scrolling for tags and ensures proper sequencing of workflow actions.

Security patch release fixing a reported vulnerability along with several bug fixes including metadata override propagation, storage path ordering, PostgreSQL integer validation, index error handling, and recurring workflow timing issues.

Security patch release that addresses a reported security vulnerability, recommended for all users to upgrade immediately.

Security patch release addressing two security vulnerabilities with improved SVG validation, tag serializer permission fixes, and minor UI enhancements for inactive user display. Includes dependency updates and performance optimizations for bulk operations.

Patch release fixing search functionality issues, custom field update handling, MariaDB SSL connection problems, and allauth compatibility. Also includes minor dependency updates for Docker and Angular components.

Paperless-ngx 2.20.0 upgrades Docker base image to Debian Trixie, improves log viewer functionality, adds relative date support, enhances performance with async file operations and symlinked static files, fixes custom field dropdown issues, and updates multiple dependencies including psycopg, Angula

Bug fix release addressing email attachment handling, workflow URL construction, Outlook token refresh, search whitespace trimming, storage path preview logic, version checking cache, and user password validation improvements.

Bug fix release addressing custom field query propagation and change detection issues, plus dependency update for astral-sh/uv Docker image from version 0.9.4 to 0.9.7.

Bug fix release addressing workflow email attachments, UI translation issues, field parameter handling, mail error display improvements, print functionality in Firefox, tag filtering duplicates, and performance enhancements with virtual scrolling and log handling optimizations.

Paperless-ngx 2.19.3 patch release addressing multiple UI and functionality issues including email endpoint permissions, dropdown sorting, tag filtering, email attachment support, missing component imports, and migration warnings. Also updates Django dependency and improves workflow handling.

Minor patch release fixing UI issues including tag loading display, bulk email permission requirements, and undefined ID handling in object retrieval functions.

Bug fix release addressing workflow title migration issues, tag hierarchy display problems, document count retrieval for tag children, dropdown sorting logic, and permission-based user/group visibility restrictions.

Paperless-ngx 2.19.0 adds advanced workflow filters, nested tags, email enhancements for multiple documents, performance improvements for permission caching, and various UI improvements including print buttons and custom field support. Includes multiple bug fixes for UI components, document processi

Paperless-ngx maintenance release with websocket status reporting, sidebar view count fixes, custom field performance improvements, virtual scrolling revert, and dependency updates including Angular, Bootstrap, and development tools.

Bug fix release addressing UI issues including date parsing language settings, sidebar display problems, view title wrapping, and pagination schema validation. Also includes performance improvements for custom field selects and dependency updates.

Paperless-ngx patch release addressing UI bugs including data loss prevention when switching documents, system status display improvements, date filter visibility enhancements, and saved view count display fixes, plus development dependency updates.

Minor patch release addressing UI consistency issues including button styling fixes, mobile layout improvements for PDF editor, and a bug fix for app logo validation when no file is present.

Bug fix release that corrects the PAPERLESS_EMPTY_TRASH_DIR configuration to properly handle Path objects instead of strings, resolving potential issues with trash directory management.