What's New in ProjectSend r1994

A stability-focused release with critical security patches, improved compatibility, and over 20 bug fixes addressing issues reported by the community

Security Updates

Multiple dependency updates and security hardening to keep your installation protected against known vulnerabilities.

AWS SDK Update (CVE-2025-14761)
Updated aws/aws-sdk-php to patch a security vulnerability
Axios Update (CVE-2026-25639)
Fixed Denial of Service vulnerability via prototype pollution in request configuration
Build Toolchain Cleanup
Removed vulnerable babel-traverse (CVE-2023-45133), updated gulp to v5 fixing braces (CVE-2024-4068) and minimatch (CVE-2026-27903)
Encryption Safety
Prevent file encryption when encryption key is not configured, and fix file preview exposing direct URLs

Compatibility Improvements

Important fixes for environments that were broken in r1945, including MySQL 5.7 support and HTTPS reverse proxy configurations.

MySQL 5.7 Support Restored
Replaced MySQL 8.0-only recursive CTE with PHP-based parent folder traversal, restoring compatibility with MySQL 5.7 and MariaDB
HTTPS Reverse Proxy Support
Detect HTTPS via X-Forwarded-Proto, X-Forwarded-SSL, and SERVER_PORT headers, fixing mixed content errors behind reverse proxies like nginx and HAProxy
Fresh Install Stability
Fixed crash when accessing pages before running the installer, and fixed database migration failures with non-standard foreign key names
Local S3-Compatible Storage
Extended Amazon S3 storage to support local and custom S3-compatible instances like MinIO

Bug Fixes

Over 20 bug fixes addressing issues reported by the community since r1945, improving reliability across authentication, file management, notifications, and the admin interface.

Authentication & Users

Client Login with Password Change
Fixed 403 error when new clients sign in with "require password change" enabled
Remember Me with 2FA
Fixed "remember me" not working when two-factor authentication is enabled
Client & Role Management
Fixed client creation failing in r1945, "cannot delete own account" error, permissions not saving for existing roles, and social login issues

File Management & Uploads

Encrypted Downloads
Fixed encrypted file downloads returning scrambled data when using X-Accel-Redirect (nginx)
Disk Quota Display
Fixed disk quota and max file size showing incorrect values on the clients list due to a PHP type coercion issue
Multi-File Upload Performance
Session lock released early during uploads preventing blocking, plus fixes for error handling and file processing order

Notifications & Email

Duplicate Notifications
Fixed "new file" notifications being re-sent to all assigned clients when editing file properties like public download toggle
Email Template Variables
Fixed {{SYSTEM_NAME}}, {{SYSTEM_URI}}, {{CURRENT_YEAR}} and {{EMAIL_TITLE}} not being replaced in custom email header and footer

Templates & UI

Upload Icon Visibility
Fixed upload icon remaining visible in Business Professional, Drive, Dark Cards, and Gallery templates when file uploads are disabled for clients
Missing Security Settings
Fixed missing optional fields in the Security settings page

Dependencies & Maintenance

Chart.js 4.5.0
Upgraded Chart.js to version 4.5.0 with updated configurations for compatibility
SMTP Default Port
Added default SMTP port selection when changing authentication method, and fixed port not being defined in some configurations
Updated Translations
Updated translation files and various configuration file improvements

Ready to Upgrade to r1994?

A more stable, secure, and compatible ProjectSend is waiting for you

Download r1994 Upgrade Guide View on GitHub