Release notes from phpipam

1.8.1

2026-04-27T17:39:50Z

Bugfixes:
----------------------------
+ PHP8 compatibility fixes;
+ Rack SVG image errors (#4595);

1.8.0

2026-04-21T10:26:10Z

Bugfixes:
----------------------------
+ PHP8 compatibility fixes;
+ Fixed passkeys upgrade queries;
+ MySQL no active transaction error during upgrades (#4319);
+ $config['disable_main_login_form'] shows blank page (#4317);
+ Unable to clear custom fields (#4313);
+ Modified the text shortening of subnet descriptions (#4279, #4280);
+ Slow UI performance with bootstrap v3.4.1 (#4311);
+ Workaround PHP bug GH-16870 (#4339);
+ Request new IP hangs (#4346);
+ Fixed required fields validation (#4328);
+ Can not empty address fields (#4322);
+ Rack module allows devices to exceed rack boundaries (#4423);
+ Rack dropdown providing option that is impossible (#4409);
+ API call to PATCH vlan fails with "Vlan name is required" (#1356);
+ Invalid content type when using API (#4168);
+ Deletion of Default L2domain permitted through API (#4419);
+ Empty POST to Devices API Controller produces a blank device (#4307);
+ jQuery error when adding an IP address range (#4350);
+ Request new IP hangs (#4346);

Enhancements, changes:
----------------------------
+ Don't update PowerDNS `change_date` removed in v2.1.9;
+ Added Isle of Man postcodes (#4318);
+ Adds search functionality for Devices (#4406);
+ Added `lastSeen` to IP Address export (#2433);
+ User and Edit IP instructions now use Markdown;
+ Make Rack Devices Clickable from picture (#2372);
+ Setting to enable/disable devices overlapping in racks (#4424);
+ Colorization of rack devices; devices can be deep (front & back) of a rack (#4431);
+ Organize racks in a location using rows or rooms (#4433);
+ Support for embedding a rack into a rack, "Subrack" (#3069, #1552, #1623);
+ Added API locking methods (File, MySQL);

Security Fixes:
----------------------------
+ XSS - reflected via HTTP_X_FORWARDED_PORT;
+ XSS - Reflected in install scripts;
+ XSS - via unescaped DHCP Kea hostname;
+ XSS - Unsafe HTML allowed in Request IP Instructions;
+ XSS - Unsafe HTML allowed in Password vault;
+ Local exposure of DB credentials via mysqldump;
+ Added CSRF cookie for clear-changelog and clear-log;
+ Added CSRF cookie for data exports;
+ RCE - Authenticated remote code execution via ping_path;
+ SQL injection via subnetOrdering;
+ Missing admin authorization checks;
+ Missing module authorization checks;

Translations:
----------------------------
+ Updated Russian translation (#4489);

1.7.4

2025-11-27T18:53:28Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Can not empty address fields (#4322);
+ jQuery error when adding an IP address range (#4350);

Security Fixes:
----------------------------
+ Addedd CSRF cookie for clear-changelog and clear-log;
+ XSS - Reflected in install scripts;
+ XSS - Unsafe HTML allowed in Request IP Instructions;
+ XSS - Unsafe HTML allowed in Password vault;
+ Local exposure of DB credentials via mysqldump;
+ RCE - Authenticated remote code execution via ping_path;

1.7.3

2024-11-27T21:26:11Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Workaround PHP bug GH-16870 (#4339);
+ Request new IP hangs (#4346);

1.7.2

2024-11-22T19:13:14Z

Bugfixes:
----------------------------
+ Slow UI performance with bootstrap v3.4.1 (#4311);

1.7.1

2024-11-17T21:39:09Z

Bugfixes:
----------------------------
+ Backported PHP8 compatibility fixes;
+ Fixed passkeys upgrade queries;
+ MySQL no active transaction error during upgrades (#4319);
+ $config['disable_main_login_form'] shows blank page (#4317);
+ Unable to clear custom fields (#4313);

Security Fixes:
----------------------------
+ XSS - reflected via HTTP_X_FORWARDED_PORT;

1.7.0

2024-10-30T21:35:04Z

New features:
------------
+ php8.3 compatibility;
+ Added support for passkeys / passwordless logins;
+ API:
    + Added API changelog;

Bugfixes:
----------------------------
+ Fixed Use UTF-16LE encoding for XLS sheet names, and UTF-8 as input encoding (#3977);
+ Fixed Update login_form.php for installation inside subdir (#3954);
+ Fixed php8 constructor fix for radius class (#3985);
+ Fixed Force mac address update during status update scan (#3791);
+ Fixed RADIUS authentication fails on 1.6.0 (#3986);
+ Fixed cannot add NAT issue (#3993);
+ Fixed Various Linked Addresses issues (#3275, #4188, #4189, #3274);
+ Fixed Duplicates tool not finding ALL duplicates (#4161);
+ Fixes fetch_favourite_subnets function returns empty array instead of false (#4182);
+ Fixed Dashboard widget widths are not correct percentage (#4176);
+ Fixed remove_offline_addresses.php can't execute (#4173);
+ Fixed Searches do not properly organize results (#3917)
+ Fixed Expand/compress all folders not working properly (#3583);
+ Fixed Bug when adding a user to a group (#4137);
+ Fixed Password validation errors (#4099,#2423);
+ Fixed Ripe import results in jQuery error (#4007);
+ Fixed Ripe import crashes if too many subnets are found (#4180);
+ Fixed Devices with height 0 crash Rack image generation (#4193);
+ Fixed Custom field not working in Routing module (#4174);
+ Fixed Circuit Type showing differently in two windows (#4104);
+ Fixed Vault Item Custom Field not writable (#4058);
+ Fixed Undefined variable when adding nameserver (#4230);
+ Fixed Tag Management Color Picker (#3629);
+ Fixed Arrows for linked addresses do not match between themes (#4216);
* Fixed Captcha and invalid login checks (#3480, #4198);
+ Fixed 2FA TOTP validation issues (#3724);

Enhancements, changes:
----------------------------
+ Added support for redundant PowerDNS databases (#3981);
+ Added option to export data for VLAN,VRF and Devices directly from tools page;
+ Added option to disable OpenStreetMap address geoip lookups;
+ Added $api_stringify_results config.php option for <PHP81 API backwards compatibility;
+ Added support for newly added widgets to be sortable with jQuery (#4711);
+ Added support for using widget parameters; added recent_logins widget (#4184);

Security Fixes:
----------------------------
+ Upgraded jQuery to 3.7.1;
+ Upgraded bootstrap to 3.4.1;
+ Upgraded jQuery-ui to 1.13.3;
+ Cookies set without Secure attribute;
+ Multiple XSS injections (#4145,#4146,#4147,#4148,#4149.#4150,#4151);
+ HTML DOM XSS injection via filenames when uploading (#4160);
+ Escape loaded database strings by default, stored XSS defence;
+ Increase minimum 2FA secret length to 32 (160bit);
+ Disable /app/install/ helper scripts via config.php $disable_installer;
+ LDAP user searches sent without ssl/tls;

1.6.1

2024-10-29T21:26:56Z

Bugfixes:
----------------------------
+ Fixed RADIUS authentication fails on 1.6.0 (#3986);
+ Fixed cannot add NAT issue (#3993);

Security Fixes:
----------------------------
+ Multiple XSS injections (#4145,#4146,#4147,#4148,#4149.#4150,#4151);
+ HTML DOM XSS injection via filenames when uploading (#4160);
+ Disable /app/install/ helper scripts via config.php $disable_installer;

1.6.0

2023-12-13T11:57:37Z

Enhancements, changes:
----------------------------
+ php8.3 compatibility;
+ MySQL 5.5.3+ is now required (support for utf8mb4);
+ Reverse-proxy users should review the new config.php $trust_x_forwarded_headers setting;

Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ Directory traversal possible in RIPE query;
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
+ XSS (stored) in user widget settings;
+ XSS and LDAP injection in ad-search-result.php;
+ XSS and LDAP injection in ad-search-group-result.php;
+ Restrict find_full_subnets.php to CLI;
+ Ensure confidentiality of database password;

1.5.2

2023-03-06T22:24:52Z

Bugfixes:
----------------------------
Fixed MySQL server has gone away error (#3759);

Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ Directory traversal possible in RIPE query;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
+ XSS (stored) in user widget settings;
+ XSS and LDAP injection in ad-search-group-result.php;