Pleroma security release: 2.6.3

Pleroma 2.6.3 is a security release. It fixes an issue with webfinger queries not properly checking the account domain, leading to impersonation.

Pleroma security release: 2.6.2

Pleroma 2.6.2 is a security release. Fixes lack of shortcode sanitization in MRF StealEmojiPolicy.

Pleroma minor release: 2.6.1

Pleroma 2.6.1 is a minor release. It features some bugfixes, notably fixing a bug that prevents you from managing frontends if you have not set a primary frontend. After this release, the frontend and backend versions will no longer be in sync. See this relevant post for more information.

Separating Frontend and Backend versions

Notice: It was previously stated that version split starts with 2.6.0 but due to a serious bug in frontend this has been postponed to 2.6.1 release

Hi, it’s HJ again. For past few years we had same recocurring problem - frontend has brand new features, but to release it out to public we need to also release backend so newer frontend version would be bundled in it, and backend might not be ready for release at the moment, or backend maintainers might be away/busy, or there is simply nothing to release there (I don’t think latter ever happened though). That essentially means that while development is still happening, most people won’t see it until next backend release which might be months away. However there is a problem, how do you use a non-built frontend?

Using a non-builtin frontend

While it was pretty much always possible to use a custom version of PleromaFE, it was always a hassle to set it up. The very first way of doing this was essentially building PleromaFE yourself, which is an extremely involved process for uninitiated, even when just doing a master or develop build, and maintaining your own branch would be even more involved; in short - not for overwhelming majority of people. Later we added support for multiple frontends and a way to install them in AdminFE, but it is very clunky and confusing, and while it could be used to install a PleromaFE build from our GitLab, it was hardcoded to only one branch - master, and it would not let you update it without manually specifying build URL and such. Selecting which frontend is actually being served by default is also clunky, you have to manually enter frontend name and version, even though this information is readily available.

Given that AdminFE is on “life support” at the moment as the original developer of it vanished and how much work it is to get it into appropriate state we started working on porting AdminFE features into PleromaFE, now referred to as “Admin Dashboard”. Existing AdminFE still available and still supported, but don’t expect massive changes there, and eventually it will be replaced, we just don’t know when. Apart from some (better organized) extremely basic instance settings in Admin Dashboard one key feature of it that shipped in 2.6.0 release is Front-ends management.

Front-ends management

Accessing Admin Dashboard is in the same place where old AdminFE is accessed, in the “dashboard” icon in top bar. Don’t worry, there is a link to old AdminFE within it, and direct link should still work.

Screenshot of part of PleromaFE pointing out location of Admin Dashboard location

From there, just open “Front-ends” tab, where you can easily (re)install any frontends and set them as default in an (hopefully) easier way, in addition we added option to install develop version of PleromaFE.

Screenshot of part of PleromaFE Admin Dashboard pointing out the Front-ends tab location

Further information is in our documentation

There is a known bug in 2.6.0 that there is no feedback whether frontend is installing, installed or failed to install, and the dropdowns don’t close on click - all of those are fixed in PleromaFE 2.6.1.

There is a known bug in 2.6.0 that if you have not primary frontend set already it won’t load the interface for setting one, this is fixed in 2.6.1

Splitting the versions

Version 2.6.1 is the last one to be fully synchronized between frontend and backend. From now on, backend and frontend versions no longer will be in sync

Announcements of new releases will be made for both Backend releases and Frontend releases.


PleromaFE will be more of a “Pleroma client” that aims to support most versions of Pleroma backend with graceful degradation where appropriate. We feasibly cannot support all older and newer versions ever so boundaries of support will shift periodically.

Current plan in detail

  • Backend can implement new features, but it doesn’t necessarily mean those features are instantly implemented in bundled frontend.
  • When backend does their release current stable (i.e. master branch) version will be included as a built-in.
  • Frontend will support:
    • The “bottom line” is Backend version 2.6.0, versions older than that may still work but are not officially supported.
    • We still accept patches that fixes support for older versions but discretion will be used whether to accept them or not, i.e. extremely complicated fix or fix that breaks support for newer versions most likely won’t be accepted as-is.
    • The “top line” is yet to be determined and will be announced if support for some versions is being dropped.
    • For most features support should still work across all backend versions - future and past
    • Graceful degradation where appropriate, if there’s a new way to post or read timelines in a better way in newer backend version it won’t be supported in older version of frontend and vice-versa.
    • The “bottom line” might be moved to newer version if some core API is deprecated/removed in favor of new one
    • Features are detected not by checking backend version but rather by what backend reports it supports.
    • Features that are in active development between Backend and Frontend (i.e. at time of writing - Admin Dashboard) might not guaranteed to work outside specific version combinations until said features are stabilized.

    As usual, nothing is set in stone and might change over time.

    T. HJ

Pleroma major release: 2.6.0

Pleroma 2.6.0 is a major release. Featuring many fixes, additions and improvements.

Pleroma security release: 2.5.5

Pleroma 2.5.5 is a security release. Prevents users from accessing media of other users by creating a status with reused attachment ID

Pleroma security release: 2.5.4

Pleroma 2.5.4 is a security release. Fixes a file loading vulnerability via XML External Entity (XXE).

Pleroma security release: 2.5.3

Pleroma 2.5.3 is a security release. Fixes one path-traversal vulnerability, and hardens permissions.

Pleroma security release: 2.5.2

Pleroma 2.5.2 is a security release. Featuring many fixes, additions and improvements.

Pleroma minor/security release: 2.5.1

Pleroma 2.5.1 is a minor and security release with some bugfixes. Notably, uploading through the HTTP API can no longer create subdirectories in the upload directory.

Pleroma major release: 2.5.0

Pleroma 2.5.0 is a major release. Featuring many fixes, additions and improvements.

Pleroma bugfix release: 2.4.5

Pleroma 2.4.5 is a bugfix release. It notably fixes compatibility with Elixir 1.14 and a bug where inline img elements in posts wouldn’t have their class attribute scrubbed.

Small updates and donation pages

Hi, we’re busy working on 2.5 release and reorganizing. In meantime we’ve done some small things.

Development progress insights

There are plans on setting up unified feed (“Planet”) but for now HJ’s been doing series of updates on his blog about happenings in PleromaFE’s development:


Semi-official, non-profit, derivative merchandise available here: made by HJ

Donation pages

You can now donate to the cause. Never mandatory but always appreciated. - Libera pay group: - Donations go directly to people listed, of course you can donate to individuals separately if you want. - Open Collective: - Donations will go towards infrastructure, paid tools and possibly other things

Pleroma security release: 2.4.4

Pleroma 2.4.4 is a security release. This fixes a bug where a streaming session would unexpectedly remain connected when the corresponding access token is revoked.

Pleroma security release: 2.4.3

Pleroma 2.4.3 is a security release. Notably fixing a cache issue which can leak private Activities and Objects.

Pleroma patch release: 2.4.2

Pleroma 2.4.2 is a patch release. It fixes potential federation issues, makes Pleroma compatible with Elixir 1.13 and features reworked mention display in Pleroma-FE, among other changes.

Erlang 24.2-1 is broken on Arch Linux

Version 24.2-1 (latest at time of writing) of erlang and erlang-nox packages on Arch Linux ships empty libraries, resulting in inability to compile native code and therefore run Pleroma from source.

Pleroma patch release: 2.4.1

Pleroma 2.4.1 has been released, featuring many fixes.

MastoFE deprecation, removal in 2021-09

With the Mastodon Frontend distribution (“MastoFE”) having lost collaboration when the glitch-soc maintainer went from “friendly/welcoming to pleroma” to a “fuck pleroma” almost a year ago, it became out of support.
Currently, MastoFE’s last release was made on 2020-05-14, the last commit activity was in 2020-09 and at around 2021-04 it became obvious that MasotFE wasn’t going to get any better and would sadly become technical debt.

Pleroma major release: 2.4.0

Pleroma 2.4.0 has been released, featuring many fixes, additions and improvements.

Move from Freenode to Libera.Chat

The Pleroma project is moving it’s chatrooms together with the former freenode staff to Libera.Chat and now considers the chatrooms on Freenode to be unofficial.

This also means a move of the matrix chatrooms to and

Our TheLounge instance at has already been updated to point to Libera.Chat.

See you on Libera.Chat!

Pleroma major release: 2.3.0

Pleroma 2.3.0 has been released, featuring many fixes, additions and improvements.

Pleroma patch release: 2.2.2

Pleroma 2.2.2 is a patch release. It fixes minor annoyances on the backend side, like EmojiStealPolicy not creating a directory by itself and mix deps.get warning about a retired package.

On the frontend side it adds a report button to the status menu, fixes issues with displaying Follows/Followers and more.

Pleroma patch release: 2.2.1

Pleroma 2.2.1 is patch release that fixes a few backend bugs.

On the frontend side we’ve got a long list of improvements in this release.

Most noticeable changes are moving the “external source” under the ellipsis button. Speaking of buttons, many of them have much more generous hitboxes for better mobile use and they should be much more accessible for keyboard navigation plugins.

One cool new feature is enabling use of flat colors for the background. For users you can use it by removing your own personal background and making sure in general settings that you’re not using instance default background. For instance admins that want to use the flat color by default, you can just remove the background image on your instance.

The emoji reactions have major improvements as you can now input emoji directly into the field, the ordering of the emoji is better and it includes some emoji that were previously missing.

Pleroma major release: 2.2.0

Pleroma 2.2.0 released, featuring many fixes, additions and improvements. Among the most significant changes are: optimized timeline rendering for Pleroma-FE, switch to libmagic for guessing file types (requires a new system-level dependency!) and the addition of an optional media-optimizing proxy for thumbnail generation.

Pleroma security release: 2.1.2

Pleroma 2.1.2 is a security release, fixing some object types (most notably polls) bypassing MRF and fixing bugs found after 2.1.1 release.

Pleroma security release: 2.1.1

Pleroma 2.1.1 is a security release, fixing 2 DoS vulnerabilities, metadata leak on private instances, a possible OOM with the default HTTP client and bugs found after 2.1.0 release.

Pleroma Release: 2.1.0

Pleroma 2.1.0 is a feature release that also contains many bugfixes and general improvements.

Pleroma security release: 2.0.7

Pleroma 2.0.7 is a security release, fixing 2 potential DoSes and CSP regressions introduced in 2.0.6 release.

Pleroma patch release: 2.0.6

Pleroma 2.0.6 is a patch release, bringing some database performance improvements, security hardening and fixing bugs found after the 2.0.5 release.

Pleroma security release: 2.0.5

Pleroma 2.0.5 is a security release, fixing a potential private status leak in Streaming API, removes the hard dependency on erlang-eldap introduced in 2.0.4 and other bugs found since 2.0.4 release.

Pleroma security release: 2.0.4

Pleroma 2.0.4 is a security release, fixing a potentially breaky migration introduced in 2.0.3, a potential DoS using AP C2S and other bugs found since 2.0.3 release.

Pleroma security release: 2.0.3

Pleroma 2.0.3 is a security release, fixing: possibility of re-registration of previously deleted users, ability to force a follow from a local user, and bugs found after 2.0.2 release.

Pleroma patch release: 2.0.2

Pleroma 2.0.2 is a patch release, fixing bugs found after 2.0.1 release.

Pleroma security release: 2.0.1

Pleroma 2.0.1 is a security release, fixing improper HTML sanitization in Static-FE and bugs found after 2.0.0 release.

Pleroma major release: 2.0.0

Pleroma 2.0.0 released with emoji reactions, OStatus removal, configuration from Admin-FE and much more! You can read a blog post about it here.

Pleroma patch release: 1.1.9

Pleroma 1.1.9 is a patch release, fixing bugs found after 1.1.8 release.

Rate limiter and Remote IP plug soon to be enabled by default again

Rate limiter was disabled by default in !1601 since the majority of Pleroma instances were behind reverse proxies and it didn’t take X-Forwarded-For headers into account, rate limiting the reverse proxy IP instead.