Skip to content

@NicolasDorier NicolasDorier released this Sep 9, 2021

This release fixes three XSS vulnerabilities. Those vulnerabilities only impacts shared BTCPay instances.
Special thanks to Ajmal "@B3EF" Aboobacker and Abdul "@b1nslashsh" muhaimin for finding them who contacted us through @huntrdev.
See 1, 2 and 3.

Bug fixes:

  • Use CSP to prevent future XSS attacks. (#2856, #2863) @NicolasDorier
  • Fix XSS vulnerabilities in summernote, the rich text editor (#2859) @dennisreimann
  • The page could crash if the user clicks too many time on Notificate 'Mark as Seen' @NicolasDorier
  • Fix plugins page crashing @Kukks
  • Fix page crash of the perk editor in the crowdfund settings when the title is not set @dennisreimann
  • Do not generate payment methods when 0 amount invoice (#2776)
  • When using the BTCPay Vault, some hardware wallet types were considered unknown @NicolasDorier
dennisreimann, Kukks, and 3 other contributors
Assets 2

@NicolasDorier NicolasDorier released this Aug 31, 2021

Bug fixes:

  • It was impossible to send from the wallet to more than two destinations (#2825) @NicolasDorier
  • Fix rounding issue in the invoice refund flow (#2778, #2810) @NicolasDorier
  • When cloning an expired payment request, the new payment request was also expired (#2820) @dennisreimann
  • Fix instructions to import a coldcard wallet via file upload (#2809) @mandelbit
  • Lightning payments should not be proposed for top-up invoices (#2772, #2780) @ubolator
  • Typo fixes (#2774) @jorisvial
  • Fix payjoin client to properly handle receiver using output substitution (#2677) @NicolasDorier
  • The checkout would crash for some client if automatic detection of language was checked, and the browser was not setting the accepted language @NicolasDorier
dennisreimann, NicolasDorier, and 2 other contributors
Assets 2

@NicolasDorier NicolasDorier released this Aug 13, 2021

Bug fix:

Assets 2

@NicolasDorier NicolasDorier released this Aug 9, 2021


New features:

Bug fixes:

dennisreimann, woutersamaey, and 14 other contributors
Assets 2

@NicolasDorier NicolasDorier released this May 19, 2021

  • Fix: Unable to activate shopify integration @Kukks
Assets 2

@NicolasDorier NicolasDorier released this May 14, 2021

Minor release minor bug fixes.


  • Update BC-UR bundle and support decoding hex format of wallet (#2505 #2499) @Kukks

Bug fixes:

  • During refund or payout, some payments issued from BTCPay were not properly detected. (#2513 #2518) @Kukks @NicolasDorier
  • Fix payment button steps and validation range (#2506 #2503) @Kukks
  • The local culture of the server could break some feature on BTCPay Server (#2512) @NicolasDorier
  • Make sure unaccounted payments (double spent payments, or payjoin original transaction), are not accounted by the payment requests and crowdfund app @NicolasDorier
  • Coinswitch page was not reflecting correctly in the side navigation @Kukks
  • Coinswitch showed as enabled when it was configured but disabled @Kukks
  • Lightning payment were not detected if Only enable the payment method after user explicitly chooses it was checked for the store @Kukks
Assets 2

@NicolasDorier NicolasDorier released this Apr 29, 2021

See our blog post for an overview of this new release.


  • Improving navigation between files and storage services and rewording info text (#2272) @rockstardev
  • UI: Header and navigation improvements (#2412 #2378) @dennisreimann @dstrukt
  • Plugins will be disabled in the case of an unrecoverable runtime error caused by a plugin @Kukks
  • UI: Improve Lightning setup page (#2348 #2477) @dennisreimann @dstrukt
  • Greenfield: Provides unconf/conf balance, keypath + address + timestamp + confirmation count of utxos @Kukks
  • Add BTCPAY_TOR_SERVICES configuration to expose tor services via the server settings. Useful for integration with self-hosted node such as Umbrel (#2388) @Kukks @junderw
  • Payment methods can be toggled directly from the update store page, rather than inside the page of each payment method (#2469) @dennisreimann
  • Start separation of Coinswitch feature and Shopify integration as plugins (#2384 #2390) @Kukks
  • Greenfield: Ability to pass more query parameters to filter results of api/v1/invoices @SakerOmera
  • Human friendly error if webhook or webhook delivery not found @NicolasDorier
  • Add button to copy API key to clipboard (#2439) @ubolator

New features:

  • Support WebAuthN/FIDO2 as second factor @Kukks
  • Can get a receive address in the wallet accepting Payjoin (without creating an invoice) @Kukks
  • Can disable modification of SSH settings via the server settings to prevent escalation of privilege. (See #2468) @NicolasDorier
  • Manual coin selection has a "confirmed utxo" filter @Kukks
  • Greenfield: Can query fee rate @Kukks
  • New setting for checkout: Ability to activate specific payment methods after the creation of the invoice @xpayserver @Kukks @rockstardev

Bug fixes:

  • Fix: Clicking on "Unreserve this address" was not properly reflected in the UI @Kukks
  • Fix: Block explorer links for signet @kristapsk
  • Fix: Typo in PoS cart view (#2428) @MaxHillebrand
  • Allow accessing "misc/lang" endpoint with Greenfield auth schemes (#2471) @bolatovumar
  • Greenfield: Fix typo of webhook type OrignalDeliveryId => OriginalDeliveryId @NicolasDorier
  • If the posData property of invoice metadata was not a JObject, the invoice would crash @Kukks
  • If a store was created via the Greenfield API, warning signs of unconfigured stores would not appear. (Fix #2434) @bolatovumar
  • Do not crash if plugin folder mismatches plugin identifier @Kukks
  • Fix notification count on mobile (#2483) @dennisreimann
  • Fix: Passing invalid query parameters or route value in the Greenfield API should returns HTTP 422 + validation details rather than empty 400. @NicolasDorier
  • Greenfield: Deleting a store in the server, should delete only webhooks of this store @NicolasDorier


Assets 2
Apr 29, 2021

@NicolasDorier NicolasDorier released this Apr 1, 2021

Small release fixing bugs introduced in

Bug fixes:

  • The date in invoice page were not showing anymore the browser date time, but the server date time. (@NicolasDorier)
  • Apps on root where not working anymore, redirecting to login page rather than showing the app (see #2414) (@bolatovumar)
Assets 2

@NicolasDorier NicolasDorier released this Mar 30, 2021

This is a security release that patches one critical and several low-impact vulnerabilities that affected BTCPay Server versions and older.

The critical vulnerability (CVE-2021-29251) impacts users who:

  • Use Docker Deployment, have a configured email server and enabled registration for users in Server Settings > Policies

We strongly recommend affected users to update their instances to mitigate the risk. We will release a full public disclosure of vulnerabilities with the next major version of the BTCPay Server.

We want to thank @teslamotors for filing a responsible disclosure, helping us with remediation, and handling the situation professionally.
We also want to thank Qaiser Abbas, an independent web-security researcher, for an additional responsible vulnerability disclosure that was handled in this release.

Thank you for keeping our users safe.


Bug fixes:

  • Ensure submitting empty currency does not break update PoS page (#2376) @bolatovumar
  • Fix point of sale item newline break (#2366) @Kukks
  • Validate filename in file upload endpoints @NicolasDorier
  • Turn off autocomplete for BIP39 Seed or HD private key inputs @nosovk
  • Fix payment request template body/page height and footer style @patrick
Assets 2