v1.12.0

Fixed

• CVE-2025-68954
• CVE-2025-69197
• CVE-2025-69198
• Fixes a self-XSS issue when entering random data into boxes while creating a new database host.
• Fixes missing HttpForbiddenException import in the backup status controller.
• Fixes issue where scheduled tasks would execute every minute regardless of their configured cron syntax.
• Pressing Ctrl+Z to undo while editing a file no longer deletes the initial file content.
• Fixed incorrect error message being returned when attempting to delete your own account as an admin.
• Fixes node description not being settable via the API.
• Fixes 0-bytes files returning an error when attempting to upload.
• Fixes nodes displaying the first available location even when that field was not edited and the node has a different value set.
• Fixes allocation notes not being reset when a server is deleted. (#5157)

Changed

• Minimum NodeJS version updated to 22 for building.
• Updated all JS and PHP dependencies to their latest versions (where feasible).
• The endpoint for disabling 2FA on an account using the client API changed from DELETE /api/client/account/two-factor to POST /api/client/account/two-factor/disable
• ^C in an egg's stop configuration no longer rewrites itself into the default stop configuration.
• IBM Plex Sans font is now bundled with the local assets instead of loading from Google CDNs.
• Upload size on nodes is no longer restricted to a max of 1024MB, any positive integer value can be used.
• Administrators are now listed first when viewing a list of all users on the system.
• Websocket no longer endlessly polls when connection issues are encountered, or when Wings disconnects the user for a reason that should not be re-attempted.

v1.11.11

Fixed

• Fixed CVE-2025-49132

SHA256 Checksum

157e0e46cd639a031e9b4dd046c6e655c276382fb73785afe3194300ed3cfd07  panel.tar.gz

v1.11.10

BREAKING

• Minimum PHP version is now 8.2 due to Laravel upgrade!

Fixed

• Update Laravel to address CVE-2024-52301

SHA256 Checksum

fb571c3252130f997016df1b59ede2656aa138f0ba052105b31d57faa1f10b12  panel.tar.gz

v1.11.9

This is purely a release to ensure a Docker image is properly published, it has no changes compared to v1.11.8.

Fixed

• Fixed issue with CI not pushing Docker image

SHA256 Checksum

4c16ade4ac16e10e54e2ba528a78f3cb7c9bebcddd59a0b9c9ef401d0057eb92  panel.tar.gz

v1.11.8

Fixed

• Fixed an issue where a DELETE request was used instead of a POST, potentially logging user passwords in plain text if they disable 2FA. (GHSA-c479-wq8g-57hr)

SHA256 Checksum

59f9db1adf8f6cfbb798b850c6f295a2b17b60ef696610a5dda8d7e5f6e3b0ce  panel.tar.gz

v1.11.7

Added

• Java 21 to Minecraft eggs

Changed

• Updated Minecraft EULA link

Fixed

• Fixed backups not ever being marked as completed (#5088)
• Fixed .7z files not being detected as a compressed file (#5016)

SHA256 Checksum

b41774a6c7046bdfd4303969c6700d7f46f069b5250dfad25f91bbc389c9c063  panel.tar.gz

v1.11.6

Changed

• Better node ownership checks for internal backup endpoints
• Improved validation rules on docker_image fields to prevent invalid inputs

Fixed

• Multiple XSS vulnerabilities in the admin area (GHSA-384w-wffr-x63q)

SHA256 Checksum

e72510ba7c8f40b1501add62f15e79e0ecc30f0740a101e06c1b831221668cf9  panel.tar.gz

v1.11.5

Fixed

• Rust egg using the wrong Docker image, breaking Rust modding frameworks.

SHA256 Checksum

b01c97c14775c847725c54a33b5981bd77d2265642a9c26e6748d908814b94b3  panel.tar.gz

v1.11.4

Added

• Added support for the server.queryport option on the Rust egg.
• Added support for the Carbon modding framework to the Rust egg.

Changed

• Upgraded to Laravel 10.
• Sensitive data is no longer shown in the CopyOnClick toast notification.

Fixed

• Allow SVGs to be edited in the server's file manager.
• Properly validate the request body when creating a backup.
• Fixed issue with schedules running at the wrong time when the panel utilized a timezone with non-hour offsets (such as Australia/Darwin).
• Fixes the log directory when running the Panel in a container.
• Fixes the permission name used to check if a user has permission to read files/folders.
• Fixes the ability to unset a server's description through the client API.
• Fixed the MassActionBar on the server's file manager blocking elements below it, preventing them from being interacted with.

SHA256 Checksum

3b1a9f893aa537a075b319c18ef4cf860889e6d96b0939e3053fa95e690d040f  panel.tar.gz

v1.11.3

Changed

• When updating a server's description through the client API, if no value is specified, the description will now remain unchanged.
• When installing the Panel for the first time, the queue driver will now all default to redis instead of sync.

Fixed

• php artisan p:environment:mail not correctly setting the right variable for MAIL_FROM_ADDRESS.
• Fixed the conflict state rendering on the UI for a server showing reinstall_failed as restoring_backup.
• Fixed the unknown column uuid error when jobs fail, causing them not to get stored correctly.
• Fixed the server task endpoints in the client API not allowing sequence_id and continue_on_failure to be set.

SHA256 Checksum

5bd48cf0fe5fd605ced51928a35eff436cab163cfb60f5616dd29dec9ad3e657  panel.tar.gz