Dispatcharr Files

✨ New Features

User Stream Limits

• Administrators can now set a maximum number of concurrent streams per user account, giving greater control over how resources are shared across users. (Closes [#544])
• Each user account has a new Stream Limit field (0 = unlimited), configurable in Settings → Users.
• Global enforcement behavior is configurable in Settings → User Limits:
• Terminate on Limit Exceeded: automatically end an existing stream to make room when a user's limit is reached, rather than rejecting the new connection.
• Terminate Oldest / Newest: choose which existing stream to free when a slot is needed.
• Prioritize Single-Client Channels: prefer freeing streams on channels only that user is watching.
• Ignore Same-Channel Connections: count multiple connections to the same live channel as one stream toward the limit.

Username Display on Stats Page

• The Stats page now shows the username of each connected user alongside their connection details. (Closes [#766], Closes [#586])
• For live channel connections, a User column appears between IP Address and Connected.
• For VOD connections, the username is shown inline next to the IP address.
• Live channel previews started from the web UI now appear on the Stats page with the correct username rather than as an unknown user.
• Webhook and script integrations receive the connected username in client_connect and client_disconnect system events.

TLS/mTLS Support for Redis & PostgreSQL (Modular Deployments)

• Modular deployments now support encrypted connections to Redis and PostgreSQL, including mutual TLS (mTLS) with client certificate authentication. (Closes [#950]) — Thanks @CodeBormen
• Configured via environment variables in the docker compose file. A read-only Connection Security panel is available in System Settings to view the current TLS configuration.
• Startup validation catches missing certificate paths and configuration conflicts before the application starts.

Status Filter for M3U Group & VOD Category Modals

• The M3U Group Filter and VOD Category Filter modals now include an All / Enabled / Disabled filter alongside the existing text search. (Closes [#312])
• The "Select Visible" / "Deselect Visible" buttons respect the active filter, so bulk actions only apply to the currently visible subset.

Donate Button & Version Copy

• A donate button (heart icon) has been added to the sidebar footer, linking to the project's Open Collective page. Visible in both expanded and collapsed sidebar states; hovering shows a "Support Dispatcharr" tooltip.
• The version string in the sidebar footer is now clickable — click it to copy the version to your clipboard.

🔄 Changes & Improvements

M3U Profile URL Rewriting: Simple Mode

• The M3U Profile form for Xtream Codes accounts now offers a Simple / Advanced mode toggle for credential-based URL rewriting.
• In Simple mode, enter just a new username and password — the search and replace patterns are built automatically from the account's current credentials.
• Advanced mode continues to expose the full regex fields for custom patterns.
• Existing profiles are automatically detected as Simple if their search pattern matches the account's current credentials.

M3U Max Streams Column

• The Max Streams column in the M3U accounts table now shows the combined total across all active profiles for that account. (Closes [#816])
• When multiple active profiles are present, the column displays their summed total (or ∞ if any profile is unlimited), with a hover tooltip listing each profile's individual limit by name.
• Toggling a profile's active state immediately updates the total without requiring a page reload.
• The Max Streams field in the M3U account form has been changed from a text input to a number input with increment/decrement controls.

Network Access Settings

• Leaving a Network Access settings field blank no longer shows a validation error. The default CIDR range is saved automatically and a "Defaults Restored" warning lists which fields were reset. (Closes [#726])

XtreamCodes VOD Streaming

• XtreamCodes VOD requests (/movie/ and /series/) are now handled directly by the proxy rather than redirecting clients to a separate URL. The original XC path is preserved throughout the stream.

Dependency Updates

• requests 2.32.5 → 2.33.0 (security patch; see Security section)
• celery 5.6.2 → 5.6.3
• torch 2.10.0+cpu → 2.11.0+cpu
• sentence-transformers 5.2.3 → 5.3.0
• yt-dlp 2026.3.13 → 2026.3.17

Docker Base Image Cleanup

• Removed outdated system Python packages from the Docker base image that were pulling stale library versions into the system Python environment despite the application running entirely in its own managed virtual environment.

🐛 Bug Fixes

M3U Profile URL Rewriting

• Fixed URL rewrite patterns that matched correctly in the frontend live preview but failed silently on the backend. Patterns using JavaScript/PCRE-style named capture groups or variable-length lookbehinds now work correctly end-to-end. (Fixes [#1005])
• Fixed a preview bug where a pattern error would display the search pattern itself as the preview output instead of the original URL.

Web UI Stream Preview

• Fixed stream previews in the web UI that were ignoring all player configuration, resulting in the logged-in user not being identified on the Stats page, latency settings having no effect, and worker offloading being disabled.
• Eliminated audible stuttering on live stream previews caused by unintended playback-rate adjustments.

EPG: HTML Named Entities Preserved

• Fixed EPG channel names, program titles, and metadata losing accented and special characters when loading from providers who use HTML named entities in their XMLTV files. Affected providers include many French and other European sources — characters were previously silently dropped (e.g. "Chaîne Télé" appeared as "Chane Tl"). (Closes [#1095]) — Thanks @CodeBormen for the research on this one!

Duplicate Recordings on EPG Refresh

• Fixed duplicate recordings being created for series rules whenever an EPG source refreshes. (Fixes [#940]) — Thanks @CodeBormen
• Deduplication now uses stable program identifiers that survive EPG refreshes, rather than internal IDs that change on every refresh.
• Pre/post recording offset settings no longer cause the duplicate guard to miss already-scheduled recordings.
• Concurrent EPG refreshes for multiple sources are now serialized during series rule evaluation, preventing races that could schedule the same episode more than once.

EPG Refresh Interrupted on Large Sources

• Fixed EPG refresh tasks being killed partway through on large EPG sources, leaving the guide data in a partial state with no error logged. Large source refreshes now have a 4-hour ceiling rather than a stricter timeout that could be reached during normal operation.

🔒 Security

• Updated requests 2.32.5 → 2.33.0, resolving CVE-2026-25645 (moderate): insecure temp file reuse in a utility function.
• Updated frontend npm dependencies to resolve 4 audit vulnerabilities (2 moderate, 2 high):
• brace-expansion 5.0.2 → 5.0.5 — resolves moderate zero-step sequence causing process hang and memory exhaustion (GHSA-f886-m6hf-6m8v)
• flatted 3.4.1 → 3.4.2 — resolves high Prototype Pollution via parse() (GHSA-rf6f-7fwh-wjgh)
• picomatch 4.0.3 → 4.0.4 — resolves high method injection in POSIX character classes (GHSA-3v7f-55p6-f55p) and a ReDoS vulnerability via extglob quantifiers (GHSA-c2c7-rcm5-vvqj)
• yaml 1.10.2 → 1.10.3 — resolves moderate stack overflow via deeply nested YAML collections (GHSA-48c2-rrv3-qjmp)