Change Log

This is for packaged, gold releases of the self-hosted product. We publish beta and release candidate change logs on the forum. We provide separate cloud release notes since they are scheduled differently.

Vanilla numbers major releases with the first decimal place. A second decimal indicates a minor patch release.


  • Rich Editor is the new default editor.
  • Keystone is the new default desktop & mobile (responsive theme)
  • Numerous bug-fixes and security patches
  • The full feature list and details can be found on the 2.8 release notes discussion.




There was an error while creating this release so it was never distributed.




Vanilla 2.7 was only distributed to Vanilla Cloud. The accumulated open source release notes from this release are incorporated into the the 2.8 release notes discussion.


Vanilla 2.6 is the first version of Vanilla that requires PHP 7.0.

New Features:

  • Category Following
  • API v2 In-Dashboard Docs
  • API v2 Changes and Additional Endpoints
  • Numerous bug-fixes and security patches
  • The full feature list and details can be found on the 2.6 release announcement and discussion.


Released 14 May 2018


Vanilla 2.5 is the last version of Vanilla that supports PHP 5.6. As such many additional security fixes have been backported to this release. If you cannot currently run a later version of Vanilla, be sure to run the latest 2.5 patch release.

Highlights of this released include:

  • Dashboard Redesign
  • Flat categories
  • Native API (APIv2)
  • Full IPv6 support.

A full feature list can be found on the 2.5 release schedule and features discussion.


Released 14 May 2018


Released 12 Feb 2018


Released 23 Dec 2017


A full vanilla 2.4 version was never released. Instead, Release 2.5 was branched. A beta was distributed, but a full version was never released.


Released 18 Nov 2016



Released 7 May 2016


Released 12 Nov 2015



Released 29 Oct 2015


Released 15 Oct 2015


Released 12 June


Released 4 May 2015


Released 18 Mar 2015


Released 15 Jan 2015


Released 9 Jan 2015


Released 21 Nov 2014

  • Security: Fixes an SQL injection vector.
  • Security: Adds a PDO option to harden against SQL injection.
  • Security: Improves the security of password resets by increasing token length and limiting them to 1 hour expiration.
  • Adds vBulletin 5.1 password hashing to allow seamless password migrations. All previous versions continue to be supported.


Released 31 Oct 2014

  • Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
  • Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
  • Fixes issue where enabling cleditor would permanently allow style parameter in comments.
  • Fixes issue notifying users of new comments in certain cases where they did not have permission to then view them.
  • Fixes OpenID bug effecting Google Sign In.
  • Multiple community-contributed bug fixes.
  • 2.1.4 had a merge conflict which this release replaced.


Released 9 Sept 2014

  • 3 newly discovered XSS vectors were fixed.
  • The timezone bug introduced in 2.1.1 is fixed.
  • Fixes invalid DeliveryType in plugins management.
  • 2.1.2 had a Javascript error which this release replaced.


Released 2 Aug 2014

  • HtmLawed was upgraded to close an XSS vector (thanks to Psych0tr1a for responsibly disclosing this to us & to HtmLawed for a fast patch in response).
  • Multiple XSS exploits were fixed (thanks to @x00 for responsibly disclosing and both he and @businessdad for assistance in making our patches as bulletproof as possible).
  • Fixed a Twitter SSL bug (thanks @Adrian for the patch).
  • Fixed a missing permission check in the sorting utility (thanks @R_J for the patch).
  • cleditor was patched to fix a crippling IE11 bug.
  • Profile Extender was upgraded and a security flaw in it was fixed.
  • Fixed a bug in Announcing while starting a discussion.
  • Corrected the default theme README.
  • Backported GDN_UserAuthenticationProvider.IsDefault so the latest version of jsConnect will work with 2.1.1.
  • Fixes a theme screenshot bug (thanks @hgtonight‌ for the patch).


Released 28 April 2014

Vanilla internals were completely revamped for 2.1. Many views and several plugin hooks were changed, so themes and plugins must be tested and may need to be refactored before upgrading.

  • Better localization support.
  • Improved embedding.
  • Performance and caching enhancements.
  • Revamped Activity structure.
  • Framework improvements.
  • Hundreds of bug fixes.

Incremental changelogs from the first 2.1 beta through RC1 can be found in their individual release announcements:


Prior to 2.1, Vanilla used the third decimal in the version to indicate new features, and a fourth decimal for minor patches.

Released 30 Oct 2014

  • Security: An Insecure Direct Object Reference was fixed that allowed unauthorized comment editing.
  • Security: Potential CSRF vectors were closed, including one that could allow account hijacking.
  • Fixes DeliveryType issue in plugins managements.

Released 5 Aug 2014

  • HtmLawed is upgraded and its filtering tightened (thanks @x00 & Psych0tr1a)
  • parseJSON() is substituted for eval() in 2 places
  • Refactored the definitions list into Javascript instead of using the DOM
  • Fixes HTMLawed error in which this immediately replaced.

Released 21 Apr 2014

  • 3 security patches.
  • Ditches troublesome “Remove” option on the plugins page.

Released 21 Dec 2013

  • Removes flawed update checker.

Released 26 Nov 2013

  • Use SafeRedirect() instead of Redirect() in the discussion controller.
  • Added TrustedDomains() and SafeRedirect().
  • Don’t allow user id override on post.
  • Fix Flagging security flaw
  • Filter discussion title on categories/all
  • Comment notifications should only be sent to people with the “NewComment” preference set.
  • Twitter: Change api version to 1.1.
  • Tagging: Fix xss bug in tagging.
  • Do not add linebreaks twice on search.

Released 4 Apr 2013

  • Call & check for FilterForm() properly.

  • Disable the ability to call functions in escaped SQL strings.

  • Switch update checks to JSON to prevent object injection hacks.

  • Prevent object injection hacks.
  • Make sure the admin password is hashed when inserting the admin user on an already installed Vanilla.
  • Fix Facebook plugin for the 5 Dec 2012 Facebook update.
  • Add class attributes for all the menu item elements.
  • Cache-control logic improvements.
  • Add the proper username parameter to profile/edit.
  • Filter activity, discussion, and comment forms.
  • Fixed security hole where on profile/picture and profile/preferences. Allow moderators to change users’ pictures from the profile page.
  • Added joomla password hashing.

Released 26 Mar 2012

  • Patch form tampering possibility.
  • Fix canonical URL issues.

Released 5 Mar 2012

  • Flagging plugin security fixes.

Released 21 Jan 2012

  • Fixed bug where Gravatar was using name instead of email for Vanillicons.
  • vBulletin import improvements.
  • SSO fixed for non-English.
  • Embed improvements.
  • Tagging fix.
  • Fix malformed install screen.
  • Various other bug fixes.

Released 7 Nov 2011

  • Fixed bug in the Twitter plugin.
  • Fixed some bugs with connecting.
  • Prevent too many “photo changed” activities.
  • Added the ability to include announcements in the /categories/discussions page.
  • Fix so people with custom domains don’t see strange text.
  • Fixes mass-approve/deny for Applicants
  • Correct title on /categories pages
  • Fixed jQuery syntax errors.


Released 3 Nov 2011

Major Features:

  • Added moderation, bans, and delete/edit logging.
  • Added notifications (Growl-like popups).
  • Added advanced category management.
  • Added IP logging to core.
  • Added Split/Merge plugin to core.


  • Added ability to chain Vanillicons into Gravatars with c(Plugins.Gravatar.UseVanillicons) = true
  • Added ability to use IE targetting for CSS and JS files
  • Disabled CLEditor for IE6 users
  • Disabled popups in IE7 or less
  • Added Session support, see: Gdn_Session()->stash()
  • Turns off Embed by default
  • Added WebOS to mobile user agents


  • Fixed bug in 2.0.17 that could (on rare occassion) wipe your config.php file
  • Fixed issue that could cause VanillaStats to stop working
  • Many new translatable strings added or fixed
  • Fixed support for PHP 5.2 on Windows (fnmatch)
  • Fixed profile to not ask for old password if one was never set (via SSO)
  • Fixed hundreds of other bugs too numerous to list, including dozens of SQL-related bugs. -

  • Fixed bug where analytics hooked before Garden.Installed=true, causing a fatal error on install.
  • Fixed bug where analytics registration would occur repeatedly if config file was read-only.
  • Repackaged distribution without OS-Specific meta data, and fixed ajax information exposure bug.
  • Fixed problem with dashboard structure file where Activity and Profile permissions were not granted automatically on fresh install.
  • Fixed problem with category permissions where some configurations would result in too restrictive defaults.
  • SECURITY: Fixed potential querystring XSS and cookie HMAC Timing vulnerabilities in core.
  • Updated analytics client and server software to fix a bug in stats transmission and rendering.
  • Fixed a packaging problem that caused the contents of index.php to be duplicated.
  • SECURITY: Fixed cookie theft vulnerability.
  • SECURITY: Fixed Facebook, Twitter, and Embed plugins’ access control.


Released 2011-01-18

  • Fixed bug where plugins and themes could fail to enable due to extra whitespace.
  • Fixed bug where search results were not properly sorted by date after relevance.
  • Fixed bug where links in profile status cause the profile to clear when clicked.
  • Fixed bug where signing in from the comment form button would not refresh the page.
  • Fixed bug where administrators could not change user’s picture without 404 errors.
  • Fixed bug where stack trace would display when testing plugins, even if not in DEBUG mode.
  • Fixed bug where signin would not properly redirect if javascript was disabled.
  • Fixed bug where editing a role was erroneously selecting the default permission in the UI when editing.
  • Fixed bug where discussion autorefresh would sometimes disable itself.
  • Fixed bug where when markdown is enabled urls would not get auto-converted to clickable links.
  • Fixed bugs in OpenID and GoogleSignIn where redirect targets were not getting sent to the signin.
  • Fixed bug where mobile theme would sometimes display incorrect “last comment date”.
  • Optimized Announced Discussions query to improve performance.

Older Releases

Unlisted versions were skipped or replaced the same day.

  • 2.0.16 - 2010-12-02
  • 2.0.15 - 2010-11-25
  • 2.0.14 - 2010-11-09
  • 2.0.13 - 2010-10-27
  • 2.0.11 - 2010-10-06
  • 2.0.10 - 2010-09-30
  • 2.0.9 - 2010-09-15
  • 2.0.6 - 2010-09-01
  • 2.0.3 - 2010-08-11
  • 2.0.1 - 2010-08-04
  • 2.0.0 - 2010-07-22
  • 1.1.10 - 2009-11-23
  • 1.1.9 - 2009-09-10
  • 1.1.8 - 2009-08-02

Cloud Hosting

We believe that online communities should be intuitive, engaging and true to your brand. Vanilla allows you to create a customized community that rewards positive participation, automatically curates content and lets members drive moderation.

Learn More …