🚀 Flatboard 5.5.1 "AEGIS" — What's new since 5.4.1
This release series brings security hardening, major performance gains, a revamped search experience, and a handful of useful new features.
🔴 Security
- CSRF protection added to search, all Private Messaging write endpoints, FlatHome admin endpoints, and all plugin write actions (Reputation, TranslationManager)
- Open redirect via
HTTP_REFERERpatched - Header injection in file downloads neutralized
- MX DNS validation at registration to block fake email addresses
- SSRF protection added to Logger webhook delivery
- Unsafe
unserialize()replaced in ForumImporter (vBulletin)
⚡ Performance
- PermissionHelper results cached per request — eliminates ~12 redundant I/O reads per page load (e.g. for Private Messaging permission checks)
- Presence system rewritten with one file per user — no more write contention on the shared presence file under load
- FlatHome
getAllPages()cached for the duration of each request - Forum Monitoring — fatal memory exhaustion fixed, all 6 stat calls cached (5-min TTL), redundant file reads eliminated
- FlatModerationExtend storage reads cached within each request
✨ New features
- Customizable homepage — admins can choose between latest discussions or the categories grid.
/forumsand/discussionsalways point to their respective views regardless of this setting. - Plugin & theme compatibility system — incompatible plugins are auto-disabled at boot, flagged with a red badge, and admins receive a one-shot notification. Themes display a warning but are not auto-deactivated.
- Purge unverified accounts — via the admin Maintenance panel or
php console.php cleanup:unverified-users [days] - Admin users: filter by group — new dropdown in the users list filter bar
- Profile: unsubscribe button in the subscriptions tab
- Presence: page visit history per user (configurable size)
- Forum Monitoring (Pro) — active user cards now show recently visited pages
- Premium theme — full stats block (discussions, replies, members, online users) now visible in all sidebar views
🔎 Search overhaul
- Autocomplete now actually returns results
- Result count no longer capped at 20
- "Load more" works on the search results page
- Excerpts no longer show raw markdown or bleed inline formatting
- Search result cards are fully clickable
- Performance: sort → slice → format (was: format all matches, then sort)
🛠️ Other notable fixes
- System emails (verification, password reset, email change) now sent in the site language instead of always French
- EasyMDE draft auto-save no longer stores empty content
- Plugin updates — object arrays in
plugin.jsonno longer duplicated on each update - Private Messaging typing indicator now works correctly
- Unverified accounts no longer appear in member lists, stats, or latest member counts
- Login redirect in subdirectory installs — post-login redirect now correctly lands on the subfolder root instead of the domain root
remember_tokencookie scope corrected for subdirectory installs
📋 Full changelog
The complete changelog with all technical details is available in full changelog thread.
Thank you to everyone who reported bugs and contributed to this release. 🙏
Edited on Apr 20, 2026 By Fred .
