What's Changed
Security:
- Patched Stored XSS in public share page via unsanitized share metadata (text/template misuse)
- Patched Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info GHSA-525j-95gf-766f
New Features:
- "Divider" option in sidebar links to add a text or divider between links (#1875)
- shares offer a "go to source Location" sidebar link and button when editing a share.
Notes:
- Share edit/delete permissions are scoped to the user's shares rather than global (#2050)
- OIDC group claims accepted as map (#2084)
BugFixes:
- fixed the requirement that the database path needed to be set in the config file, now it loads
FILEBROWSER_DATABASEvalue by default, fallback to config file property. - Error downloading zipped directory: no such file or directory (users with scope) #2015
Full Changelog: v1.2.1-stable...v1.2.2-stable