| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| BunkerWeb_documentation_v1.6.12.pdf | 2026-07-02 | 24.1 MB | |
| install-bunkerweb.sh | 2026-07-02 | 350.9 kB | |
| install-bunkerweb.sh.sha256 | 2026-07-02 | 87 Bytes | |
| README.md | 2026-07-02 | 7.4 kB | |
| v1.6.12 source code.tar.gz | 2026-07-02 | 101.2 MB | |
| v1.6.12 source code.zip | 2026-07-02 | 106.6 MB | |
| Totals: 6 Items | 232.2 MB | 3 | |
Documentation : https://docs.bunkerweb.io/1.6.12/
Docker tags :
- All-in-one :
bunkerity/bunkerweb-all-in-one:1.6.12orghcr.io/bunkerity/bunkerweb-all-in-one:1.6.12 - BunkerWeb :
bunkerity/bunkerweb:1.6.12orghcr.io/bunkerity/bunkerweb:1.6.12 - Scheduler :
bunkerity/bunkerweb-scheduler:1.6.12orghcr.io/bunkerity/bunkerweb-scheduler:1.6.12 - Autoconf :
bunkerity/bunkerweb-autoconf:1.6.12orghcr.io/bunkerity/bunkerweb-autoconf:1.6.12 - UI :
bunkerity/bunkerweb-ui:1.6.12orghcr.io/bunkerity/bunkerweb-ui:1.6.12 - API :
bunkerity/bunkerweb-api:1.6.12orghcr.io/bunkerity/bunkerweb-api:1.6.12
Linux packages : https://packagecloud.io/app/bunkerity/bunkerweb/search?q=1.6.12&filter=all&dist=
Changelog :
v1.6.12 - 2026/06/??
Security
-
nginx: updated NGINX to1.30.3to fix: -
CVE-2026-42055: heap buffer overflow inngx_http_proxy_v2_module/ngx_http_grpc_module CVE-2026-48142: heap buffer overread inngx_http_charset_moduleapi: hardened Biscuit token generation by binding Host header, client IP and username as typed terms, preventing signed Datalog fact injection. Added optionalAPI_ALLOWED_HOSTS.api:API_ACL_BOOTSTRAP_FILEnow validates supplied bcrypt hashes and rejects weak or malformed values.antibot: Cap.js challenge now uses a strict per-request CSP nonce and sendsCache-Control: no-store.antibot: fixed an open redirect in the post-challenge redirect flow by enforcing same-origin relative paths.ui: fixed session fixation on login by rotating the session ID on every authentication.ui: fixed open redirect via the post-loginnextparameter.ui: password changes now revoke the user’s other active sessions.ui: cache deletion routes now enforce Biscuit authorization.ui: improved hostname and ban-scope validation.ui: extended CSV/XLSX formula-injection protection to tab and carriage-return-prefixed cells.linux: uninstall hooks now preserve logs, configs, databases and backups unless purge is explicitly requested; upgrade backups moved to/var/backups/bunkerweb.
Features & Improvements
-
reverseproxy: added upstream HTTPS certificate verification with: -
REVERSE_PROXY_SSL_VERIFY REVERSE_PROXY_SSL_VERIFY_DEPTHREVERSE_PROXY_SSL_TRUSTED_CERTIFICATEREVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_DATAREVERSE_PROXY_SSL_TRUSTED_CERTIFICATE_PRIORITYantibot:ANTIBOT_IGNORE_URIcan now match full request URIs, including query strings.scheduler: addedSCHEDULER_MAX_WORKERSto cap the job-executor thread pool and reduce database pool pressure.ui:ADMIN_PASSWORDcan now accept pre-hashed bcrypt values.-
ui: logs viewer overhaul: -
syntax highlighting for BunkerWeb, certbot and NGINX access logs
- severity filters with counts
- in-page search and error navigation
- live-tail with pause and new-line indicator
- download/copy actions
- optional local-time display
- collapsible multi-line entries
- improved mobile toolbar layout
ui: RAW config editor can now fold multi-line file settings, such as certificates and keys.mtls: addedMTLS_URL_nregex setting to enforce mTLS per path instead of site-wide.bunkernetUI: improved status reporting with Connected / API unreachable / Not registered states, masked instance ID and disk self-heal.
Bug Fixes
letsencrypt: fixed cache poisoning that could cause fleet-widecertbot AccountNotFound.letsencrypt: fixed scheduler/UI cache-row write race by sharing onefcntl.flock.letsencrypt: fixed Route53 auto-renewal when explicit AWS credentials are used.letsencrypt: fixed stale ACME account recovery whenLETS_ENCRYPT_CONCURRENT_REQUESTS=yes.letsencryptUI: deleting a certificate no longer fails when unrelated orphaned certificates are present.antibot: after solving a challenge, Chrome now returns to the originally requested URL instead of/.api: malformedAPI_ALLOWED_HOSTSwildcards no longer brick the API on every request.datastore: changingDATASTORE_LRU_SIZEno longer causes worker API HTTP 444 bootstrap deadlocks.database: fixed rc1 regression that reset UI/API-saved settings to defaults after scheduler restart.database: env vars no longer stay shadowed after a setting was touched in the UI/API.database: multisite env settings for DB-created services are no longer dropped as unknown globals.ssl:SSL_ECDH_CURVE=autono longer emitsX25519on FIPS OpenSSL.autoconf: service labels are rechecked when valid settings change, such as after PRO plugin or external plugin installation.logger: unreachableLOG_SYSLOG_ADDRESSno longer crash-loops scheduler and UI processes.installer: testing/dev install script is now idempotent and avoids duplicatingforce-bad-version.ci: Testing release install script now defaults to the testing channel.ui: Setup Wizard now shows a Log Out button when reached while already authenticated.ui: RAW mode no longer breaks multi-line file settings such as PEM certificates and keys.ui:/home,/reportsand/bansload much faster on Redis-backed setups.ui: static assets no longer trigger the full per-request lifecycle.ui: form-builder no longer creates phantommethod=uirows on no-op saves.ui/api: fixed possible login lockout with bcrypt5.0.0and passwords over 72 bytes.ui: fixed dark/light theme flicker and wrong-theme-on-load.ui: fixed plugin metrics crashes on Redis-backed setups.limit: fixed spurious HTTP/3429responses by separating HTTP/1, HTTP/2 and HTTP/3 connection limits.customcert: expired or soon-to-expire custom certificates are now accepted if they are valid X.509 certificates.
Linux & Packaging
- Fedora 43 and 44 now use NGINX
1.30.3. - Ubuntu Pro/ESM installs now use the upstream CrowdSec engine instead of the outdated ESM build.
- Added Ubuntu 26.04 Resolute Raccoon package target.
- Ubuntu 24.04 Noble moved to the
ubuntu-nobleidentifier. - Ubuntu 22.04 Jammy remains available as
ubuntu-jammy.
Dependencies
- Updated
headers-more-nginx-moduleto0.40. - Updated
lua-cjsonto2.1.0.18. - Updated
lua-resty-signalto0.05. - Updated
lua-resty-stringto0.19. - Updated
lua-upstream-nginx-moduleto0.08. - Updated
LuaJITto2.1-20260701. - Updated
ModSecurityto3.0.16. - Updated
lua-resty-opensslto1.8.0. - Updated
coreruleset-v4to4.27.0. -
Updated UI dependencies:
-
jQuery
4.0.0 - Bootstrap
5.3.8 - DataTables
2.3.8 - Ace editor
1.44.0 - ApexCharts.js
5.15.0 - DOMPurify
3.4.11 - i18next
26.3.1 - i18next-http-backend
4.0.0 - Perfect Scrollbar
1.5.6 - lottie-player
2.0.12 - canvas-confetti
1.9.4 - ipaddr.js
2.4.0 -
Updated build tooling:
-
cssnano
8.0.2 - domino
2.1.7 - removed unused root
jquerydependency
Contributions
- Thanks to @Cleverguns for the Filipino / Tagalog web UI translation.
- Thanks to @ray910408 for refreshing
src/depsnpm build-tool dependencies. - Thanks to @immanuwell for parsing the
DEBUGenvironment variable as a boolean in the Gunicorn configuration.