PILOS 4.12.0

This update to PILOS v4 adds support for the Arabic locale and bumps dependencies.

---

To Install this version check our Getting Started Guide

---

Added

• Arabic locale (#2798) by @hassanalitamam

Fixed

• Pulse Dashboard not loading (#2809) by @samuelwei

New Contributors

• @hassanalitamam made their first contribution in #2798

Full Changelog: v4.11.0...v4.12.0

PILOS 4.11.0

This update to PILOS v4 enhances compatibility with BBB servers and load balancers, prevents room URLs shared on third-party websites from appearing in search engine results, and includes various bug fixes and dependency updates — including an upgrade to the BBB Recording Player.

---

To Install this version check our Getting Started Guide

---

Added

• Configurable hashing algorithm for BBB API signatures (#2765, #2766) by @samuelwei
• X-Robots-Tag: noindex header for all routes, excluding the landing page (#2770, #2789) by @samuelwei
• X-Robots-Tag: nofollow header for all routes (#2772, #2789) by @samuelwei

Changed

• External authentication routes behavior for authenticated users (#2751, #2752) by @samuelwei
• Bump redis version in docker compose files to redis 8 (#2767) by @samuelwei
• Docs: Bumped the recommended PostgreSQL version to v18 (#2769) by @samuelwei

Removed

• robots.txt file (#2789) by @samuelwei

Fixed

• Icon alignment inside room files tab (#2660, #2728) by @samuelwei
• Race condition during room start (#2742) by @samuelwei
• Remove unnecessary Content-Type header from GET requests to the BigBlueButton API (#2774, #2775) by @defnull

New Contributors

• @defnull made their first contribution in #2775

Full Changelog: v4.10.0...v4.11.0

PILOS 4.10.0

This update to PILOS v4 improves UX and bumps many dependencies, including the BBB Recording Player.

SECURITY
Due to the security vulnerability (CVE-2026-22800) that has been fixed, we recommend installing the update as soon as possible.

---

To Install this version check our Getting Started Guide

---

Added

• Tooltip for the room info button (#2576) by @samuelwei
• Buttons to only copy room link and room access code in room share popover (#1419, #2325) by @samuelwei

Changed

• Auto-reload of rooms now disabled for guests without access (#2588) by @samuelwei
• API request method from GET to POST to panic a server (d9ab9bb) by @samuelwei

Fixed

• Icon alignment inside room tabs (#2660, #2686) by @samuelwei

Full Changelog: v4.9.0...v4.10.0

PILOS 4.9.0

This update to PILOS v4 adds storage space to metrics, fixes multiple UI bugs, and bumps many dependencies, including the BBB Recording Player.

---

To Install this version check our Getting Started Guide

---

Added

• Storage space to metrics (#2345, #2604) by @Sabr1n4W
• Tooltips for icon-only menu bar items (#2575) by @samuelwei

Changed

• Sun & moon icon in the menu bar (#2575) by @samuelwei
• Hover style of buttons in room cards (#2577) by @samuelwei
• URL for loading BBB recording player resources (#2616) by @samuelwei

Fixed

• Uneven height of right menu bar items (#2575) by @samuelwei
• Emoji handling in user avatar (#2613) by @samuelwei

Full Changelog: v4.8.0...v4.9.0

PILOS 4.8.0

This update to PILOS v4 adds OpenID Connect as a new authentication option and offers additional options for customizing the user interface using custom CSS. It also fixes several minor bugs and implements security recommendations and fixes that were suggested during a penetration test conducted by a German state government.

Due to the security vulnerabilities that have been fixed, we recommend installing the update as soon as possible.

---

To Install this version check our Getting Started Guide

---

⚠️ Upgrading / Breaking Change

In previous NGINX reverse proxy configuration recomendations, the Host header was not explicitly set.
Due to an undocumented change in the Laravel framework, this now results in a “Bad Request” error.

Add the following line to your NGINX configuration:

proxy_set_header Host $host;

---

Added

• OpenID Connect authentication (#300, #2281) by @samuelwei
• Security header X-XSS-Protection (#2519) @samuelwei
• Security header Referrer-Policy (#2519) @samuelwei
• Docs: HTTP Strict Transport Security (HSTS) recommendations (#2519) @samuelwei
• Virus scan results to metrics (#2304) by @samuelwei
• Route-specific CSS classes to frontend pages (#2496, #2497) by @samuelwei
• Admin option to upload a custom CSS file (#2496, #2553, #2554) by @Sabr1n4W

Changed

• UX: Placeholder in room search box (#2383, #2449) by @samuelwei
• Upgraded to Tailwind CSS v4 and migrated styles from SASS to plain CSS (#2477) by @samuelwei and @Sabr1n4W
• PHP.ini defaults to align with OWASP recommendations (#2519) @samuelwei
• Security header X-Frame-Options value to DENY (#2519) @samuelwei
• Authenticator label texts and term in external authentication documentation (#2551) by @Sabr1n4W

Fixed

• Negative floating point number in room expire email (#2476, #2480) by @samuelwei
• Infinite loading when navigating back to rooms from BBB due to bfcache (#2313, #2319) by @samuelwei
• Broken dark mode after using room utilisation statistic dialog (#2478, #2479) by @samuelwei
• BBB waiting room integration tests (#2517) by @samuelwei

Security

• Regenerate session after password change (#2519) @samuelwei
• Removed unused CORS header (#2519) @samuelwei
• Removed PHP version header (#2519) @samuelwei

Full Changelog: v4.7.1...v4.8.0

PILOS 4.7.1

This update of PILOS v4 fixes an issue with legacy 6-digit access codes and updates dependencies.

---

To Install this version check our Getting Started Guide

---

Changed

• Value range and randomness of access code generation (#2433) by @samuelwei

Fixed

• Support for legacy 6-digit access codes imported from Greenlight v2 (#2433) by @samuelwei

Full Changelog: v4.7.0...v4.7.1

PILOS 4.7.0

This update of PILOS v4 adds virus scanning and Prometheus metrics, as well as multiple other small UX improvements and bug fixes.

SECURITY
This release updates livewire to address CVE-2025-54068, CVSS 9.2 (CRITICAL). It is currently unclear whether PILOS is affected or not, but we strongly encouraged to update as soon as possible.

---

To Install this version check our Getting Started Guide

---

Added

• Show meeting ended reason (#2223) by @samuelwei
• Show BBB join errors (#2223) by @samuelwei
• Pass color-scheme preference to BigBlueButton (#2153, #2154) by @danielmachill, @achtadef
• Metrics endpoint (/metrics) (#2165) by @samuelwei
• Virus Scanning using ClamAV for all file uploads (#77, #1133) by @samuelwei

Fixed

• Logout session_expired warning message style (68abce8) by @samuelwei
• Show unavailable room types in create room dialog (#2265, #2279) by @samuelwei
• Show unavailable room types in change room type dialog (#2265, #2279) by @samuelwei
• Infinite loading when navigating back after logout redirect due to bfcache (#2282) by @samuelwei

Full Changelog: v4.6.1...v4.7.0

PILOS 4.6.1

This update of PILOS v4 resolves an issue where join parameters in the global streaming settings could not be cleared. It also includes internal code improvements and updated dependencies.

---

To Install this version check our Getting Started Guide

---

Fixed

• Allow global streaming join parameters to be empty (#2222) by @samuelwei

Full Changelog: v4.6.0...v4.6.1

PILOS 4.6.0

This update of PILOS v4 brings a few small improvements: user profile pictures and last login timestamps are shown in the admin UI and room types can now be configured with custom join parameters.

---

To Install this version check our Getting Started Guide

---

Added

• User pictures to the admin user list (#2131) @q16marvin
• Last login datetime to the database (#2150) @samuelwei
• Last login datetime to the admin user list (#2132, #2150) @samuelwei
• Custom join parameters in room type settings (#2099, #2151) @samuelwei

Fixed

• Container restart (#2134) @samuelwei

Full Changelog: v4.5.0...v4.6.0

PILOS 4.5.0

This update of PILOS v4 several key enhancements: a new optional feature for livestreaming BigBlueButton (BBB) meetings, additional options for configuring TLS handling in SMTP connections, and support for the Persian (Farsi) locale with right-to-left (RTL) layout and a fully translated locale selector.

---

To Install this version check our Getting Started Guide

---

Added

• Environment variable MAIL_AUTO_TLS to disable automatic TLS for SMTP servers with STARTTLS support (#2033) @samuelwei
• Environment variable MAIL_VERIFY_PEER to disable TLS Peer Verification for SMTP(S) (#2033) @samuelwei
• Environment variable MAIL_SCHEME to set a specific mail protocol smtp or smtps (#2033) @samuelwei
• Right-to-left (RTL) locale support (#2065) @samuelwei
• Translation to locale selector (#2079) @samuelwei
• Transition and animation for dark mode toggle (#2082) @samuelwei
• Logo for dark mode in BBB (#1399) @samuelwei
• Livestreaming BigBlueButton meetings to an RTMP endpoint via the BBB-Streaming-Server (#1697) @samuelwei
• Persian/Farsi locale
• Sync profile image from LDAP (#1994, #1997) @q16marvin and @samuelwei

Fixed

• Running BBB playback player build script in BusyBox (#2053) @pizkaz

Removed

• Environment variable MAIL_ENCRYPTION, use MAIL_SCHEME instead (#2033) @samuelwei

Full Changelog: v4.4.0...v4.5.0

---

New Contributors

• @q16marvin made their first contribution in #1997