What's New in ProjectSend r2029

A security-focused release with four CVE fixes, TOTP authenticator app support, improved error pages, an in-app changelog viewer, and a complete GitHub presence refresh

New Features

New functionality that expands what ProjectSend can do for you and your clients.

TOTP Two-Factor Authentication
Users can now set up an authenticator app (Google Authenticator, Authy, and others) as a second factor. Includes a QR code setup flow, login-time verification form, and an admin toggle in security settings. Works alongside the existing email-based 2FA method.
In-App Changelog Viewer
After a database upgrade, the upgrade notice now includes a "See what's new" link that opens a modal with the full release changelog rendered from Markdown — no need to leave the admin panel.

Security Updates

Four vulnerabilities patched in this release, three of which were responsibly disclosed by independent security researchers.

Fix Stored XSS via Event Handler Attributes
strip_tags() with an allowlist preserved event handler attributes (onfocus, onmouseover, etc.) on allowed tags when rendering file and group descriptions. All attributes are now stripped from allowed tags, keeping only bare formatting markup. Thanks to Ace Jaggi and Robert van Eijk for responsible disclosure.
Harden Session Cookies
Added HttpOnly, Secure (on HTTPS), and SameSite=Lax flags to session cookies to prevent JavaScript from reading them and reduce the window for session hijacking via XSS. Thanks to Ace Jaggi and Robert van Eijk for responsible disclosure.
Restrict Auto-Update Downloads to Official Server
The updater previously accepted any syntactically valid URL, allowing a crafted request to fetch and install a malicious archive. Now only HTTPS downloads from projectsend.org are accepted. Thanks to Ace Jaggi and Robert van Eijk for responsible disclosure.
Fix CSRF on File Upload Endpoint
The upload endpoint bypassed CSRF validation via a constant flag, allowing a malicious page to trigger file uploads using an authenticated user's session. The bypass has been removed and the CSRF token is now sent with every Plupload chunk. Thanks to @Executio, @0xHamy, and vuldb.com for responsible disclosure.

Improvements

Quality-of-life improvements across the admin panel, updater, and error handling.

Redesigned Error Pages
Each error type now shows a relevant icon, a descriptive subtitle, and a "Return to homepage" link. HTTP codes 400, 410, and 500 now route to the correct error page instead of silently falling through to 403.
PHP Version Pre-Check in Auto-Updater
The updater now validates that the server's PHP version meets the minimum requirement before proceeding, preventing updates from breaking installations running older PHP. Fixes #1536.
Refreshed GitHub Presence
Rewrote the README with screenshots, a comparison table, and a feature list. Added structured issue templates for bug reports and feature requests to guide contributors and support questions.

Bug Fixes

Fixes for regressions introduced in recent releases.

Fix 403 on All Downloads
The $allowed_levels definition was accidentally removed from process.php in a previous commit, causing all file download and zip requests to return a 403 for every user.

Maintenance

Code quality and CI improvements for a healthier codebase going forward.

PHP 8.2 Minimum — CI Updated
CI workflows now target PHP 8.2–8.4 only, Node 16 replaced with Node 22. Comprehensive PHPStan type hints added across Auth, AutoUpdate, Download, Encryption, Files, Folders, S3Storage, and Users classes.

Ready to Upgrade to r2029?

Stronger security, authenticator app support, and a cleaner admin experience await

Download r2029 Upgrade Guide View on GitHub