⚠️ Security fixes

• Fix an open redirect which could help making harmful URLs look more trustworthy by linking to Indico and having it redirect the user to a malicious site
• Fix an XSS vulnerability with HTML materials when stored on S3 with certain configuration settings

Note: Anyone running Indico using the "standard" setup from our installation guide or without storing files on S3 (using the storage_s3 plugin) is completely unaffected by this problem.

🎏 Internationalization

• New translation: Finnish

🎉 Improvements

• Disallow comments/judgments on outdated editables (#7067)
• Log original email content (with placeholders) when emailing registrants or sending invitations (#7093)
• Disallow sending registration emails or invitations containing hardcoded (and usually incorrect) token links (#7093)
• Add support for showing registration pictures in the check-in app (#7099)
• Support post-event reminders relative to the event end time (#7094)
• Log local group membership changes of users (#7122, thanks @tomako)
• Warn when downloading files from an editable not assigned to you (#7131, #7132)
• Add URL args to set the default view and date of the category calendar view (#7144)
• Allow changing review tags in the editing timeline (#7133, #7134)
• Add an option to request changes in bulk on the editable list (#7062, #7100)
• Clone persons settings when cloning an event (#7158)
• Clone editable-type-specific settings when cloning an event (#7158)
• Allow admins to add a secondary email address to a user without sending a validation email (#6872, #7116, thanks @vasiliyk)
• Add new SMTP_USE_SSL config option to use always-on TLS (SMTPS) instead of STARTTLS when sending emails (#4347, #7177, thanks @bpedersen2)
• Add review count & score standard deviation columns to the abstract list (#7173)
• Add min/max date settings to registration form date fields (#6842, thanks @SegiNyn)
• Allow adding a preface when re-sending emails from the event log (#7172, thanks @duartegalvao, @unconventionaldotdev)
• Disallow adding multiple fields with the same title in a single registration form section (#7181, thanks @tomako)
• Add a customizable announcement text on top of the registration form list in conferences with multiple registration forms (#6916, thanks @openprojects)
• Add a button to view related logs to the management view of a registration (#7186, thanks @vtran99)
• Log attachment & menu entry ACL changes to user log (#7136, thanks @tomako)
• Add placeholders to custom event reminders (#7115, thanks @tomako)
• Add option to require international phone number format in registration form (#7199, thanks @openprojects)
• Refactor the registration invitation dialogs using React and add email previews (#7168, thanks @duartegalvao, @unconventionaldotdev)
• Add setting EMAIL_LOG_STORAGE to permanently store email attachments and allow re-sending emails with attachments from the event log (#7182, #7203, thanks @moliholy, @unconventionaldotdev)
• Show confirmation dialog when sending invitations (#7204, thanks @duartegalvao, @unconventionaldotdev)
• Show a warning when bulk registration approval/rejection skips registrations that are not pending (#7197, #7205, thanks @duartegalvao, @unconventionaldotdev)
• Add a JSON endpoint that returns the event's program/tracks (#7207)

🐛 Bugfixes

• Do not allow sending registration invitation reminders without the invitation link placeholder (#7093)
• Correctly log the user sending a registration invitation reminder (#7093)
• Fix error in weekday recurrence picker when using the Turkish locale (#7113)
• Do not allow selecting fields in disabled sections as a condition (#7114)
• Fix timetable PDF cover page layout to allow proper centering of content (#7148, #7149)
• Fix the logic to force downloads not being applied for materials hosted on some storage backend setups (#7164)
• Preserve configured registration date formats in Excel exports (#7157, thanks @duartegalvao, @unconventionaldotdev)
• Fix inconsistent styling of nested lists in minutes and editor output (#7063, #7105, thanks @AtharvMixraw)
• Validate the arrival/departure date in the registration form accommodation field (#7171, #7174)

♿ Accessibility

• Fix category list link color contrast (#7070, thanks @foxbunny)
• Fix color contrast and semantics of the protection icon and event count in category link (#7071, thanks @foxbunny)
• Fix color contrast and screen reader support of the icons in the event list (#7073, thanks @foxbunny)
• Fix color contrast and screen reader support of the hidden block buttons in the event list (#7079, thanks @foxbunny)
• Fix contrast of the category info text (#7078, thanks @foxbunny)
• Fix contrast and screen reader support in breadcrumbs (#7088, thanks @foxbunny)
• Fix the semantics for the empty materials text (#7096, thanks @foxbunny)
• Fix announcements accessibility (#7098, thanks @foxbuny)
• Fix conference description color contrast (#7118, thanks @foxbunny)
• Improve infogrid accessibility (#7119, thanks @foxbunny)
• Improve dropdown accessibility in category list toolbar (#7069, thanks @foxbunny)
• Fix footer color contrast (#7095, thanks @foxbunny)

🔧 Internal Changes

• Allow plugins to store custom annotations/metadata on attachments, and indicate that it has been converted from another attachment (#7108)
• Refactor conference page theme CSS to allow easier theming using CSS variables (#7110, thanks @foxbunny)
• Add clear button to optional date picker fields (#7151, thanks @foxbunny)

⚠️ Security fixes

• Fix a legacy API giving access to profile details of other users due to a broken authorization check (CVE-2025-59034, thanks @inkz)
• Fix an XSS vulnerability in the LaTeX math rendering code applied to contribution descriptions (CVE-2025-59035)

🎉 Improvements

• Add a CAPTCHA and rate limiting to the material package endpoint, and an event setting to restrict who can generate one (defaults to managers only) (#6996)
• Add support for custom event reminders with freely chosen subject and body, and allow rich-text for the custom message in standard reminders (#6989, thanks @tomako, @unconventionaldotdev)
• Allow specifying a maximum session lifetime via SESSION_MAX_LIFETIME beyond which it cannot be refreshed by activity (#7030)
• Make displaying corresponding author email addresses in the Book of Abstracts opt-in (#7002, thanks @adamjenkins)
• Allow selecting which invitees to remind on the invitations list (#6804, #6918, thanks @duartegalvao, @unconventionaldotdev)
• Add option in the invitation form to lock registrations to the specified email address (#6803, #6972, thanks @duartegalvao, @unconventionaldotdev)
• Add plugin support for scanning custom QR codes in the Check-in app (#6954, thanks @SegiNyn)
• Add new tags column to the Editable list (#6614, #6615)

🐛 Bugfixes

• Fix missing spacing between toolbar button groups (#6981)
• Fix error with certain registration form field types if the badge text overflow behavior was set to "resize" (#6993)
• Fix not being able to update a registration if an accommocation field was added after registering and the user already paid for the registration (#7000)
• Fix registration form field type selector not being fully visible on smaller screen widths (#7012, #7013)
• Fix user search not working for admins in room booking module with no rooms defined (#7016, #7017, thanks @behackl)
• Fix author contribution list not showing any other contributions (#7025, #7049, thanks @diksharai9)
• Fix some LaTeX strings being rendered incorrectly and/or breaking the timetable PDF generation (#7068)

♿ Accessibility

• Use proper heading hierarchy (H3 instead of H4) for date headings on category event list pages (#7038, thanks @foxbunny)
• Add accessible labels to extra slots dropdown fields in registration forms (#7039, thanks @foxbunny)
• Use proper semantic heading elements for registration form section titles (#7040, thanks @foxbunny)
• Improve screen reader + keyboard support in the registration form picture field (#7064, #7065, thanks @foxbunny)

🔧 Internal Changes

• Remove broken support for custom multipass providers setting a maximum session lifetime; use SESSION_MAX_LIFETIME instead (#7030)
• Use Biome to format JS/JSX, TS/TSX, JSON and CSS (#7042)
• Add the env var INDICO_TEST_USE_DOCKER, which allows for tests to be run on a PostgreSQL server running in a container

⚠️ Security fixes

• Prevent dumping basic user details (name, affiliation and email) in bulk using the user id (CVE-2025-53640)

🎉 Improvements

• Add a new ALLOWED_LANGUAGES setting to indico.conf to restrict which languages can be used (#6818, thanks @openprojects)
• Set reasonable maximum lengths on signup form fields (#6724)
• Preserve the selected day when switching between room booking calendar view modes (#6817)
• Notify room moderators about new pending bookings in their rooms (#6823)
• Show moderated rooms as "mine" and enable "bookings in my rooms" etc. for room moderators (#6823)
• Use the new date picker in more places (#6662, #6832)
• Log conference menu changes (#6851, thanks @openprojects)
• Add duration and date/time placeholders when sending emails for contributions (#6860)
• Use STATIC_SITE_STORAGE for the temporary file from a material package (#6898)
• Implement conditional fields in registration forms (#1227, #6678, thanks @moliholy, @OmeGak, @unconventionaldotdev)
• Log user-specific ACL changes to user log (#6841, thanks @tomako)
• Include language settings when cloning an event (#6871, #6929)
• Log user merges to user log (#6882, #6920)
• Allow re-sending emails from their log entries (#6805, #6909, thanks @duartegalvao, @unconventionaldotdev)
• Allow adding/removing favorite users from search results (#6950)
• Make text overflow behavior in badge designer configurable (#6944, thanks @SegiNyn)
• Clone registration tags when cloning registration forms and preserve registration tags when cloning registrations (#6820, #6964)
• Allow restricting reminder recipients by registration form and tags (#6877, thanks @tomako, @unconventionaldotdev)
• Searching existing Indico users can be restricted to managers by setting ALLOW_PUBLIC_USER_SEARCH to False. This also limits the verbosity of email status checks while registering for events and disallows registering on behalf of another Indico user (#6960)
• Allow linking existing booking to an event even if there's no exact date/time overlap, and do not show a large number of unrelated bookings (#6568, #6811, #6846, thanks @moliholy, @unconventionaldotdev)
• Add a log for global admin actions, similar to that in events, categories and users (#6868, thanks @tomako)

🐛 Bugfixes

• Fix inconsistent page numbering in PDF timetable (#6824, #6827)
• Do not log logins rejected by a plugin as errors (#6834, thanks @OmeGak)
• Do not trigger notifications for withdrawn service requests when deleting past events (#6700, #6754, thanks @bhngupta)
• Fix date picker on category calendar view (#6849, #6850)
• Fix scheduling existing contributions not working in rare cirucmstances (#6853)
• Convert author/speaker email addresses to lowercase during input and use the lowercase version for deduplication (#6855)
• Fix error when removing the title of an event person (#6859)
• Fix participant visibility being set to "nobody" when a registration was modifified (#6863)
• Fix error when editing a room while no custom attributes have been defined (#6840)
• Allow the browser to perform spellchecking in the HTML/WYSIWYG minutes editor (#6890)
• Fix downdown/combobox issues on iOS Safari devices (#6830, #6839, thanks @foxbunny)
• Fix font rendering issue in event titles with some cyrillic characters (#6673, #6881, thanks @Fedor204)
• Include registration tags in event export (#6896)
• Fix some messages not being translated due to a missing context (#6910)
• Fix datetime handling in excel exports (#6806, #6887, thanks @duartegalvao, @unconventionaldotdev)
• Fix date range picker not working in some languages (e.g. Japanese) (#6921, #6922)
• Fix error when searching in user logs (#6933, #6936)
• Fix room booking prompt during event creation not showing up (#6941)
• Fix AM/PM indicator based on event language in PDF timetable (#6888)

🔧 Internal Changes

• Expose cloning details such as object mappings in the event.cloned signal (#6858)
• Expose cloning details in the contribution.created and subcontribution.created signals (#6858)
• Add the id and color of registration tags on the Checkin API endpoint for registation data (#6874, thanks @duartegalvao)
• Allow disabling arbitrary dates in date picker / calendar controls (#6905, thanks @foxbunny)
• Support custom data rendering logic in custom registration form fields (#6967)
• Support custom columns and filters in mangement registrant list (#6968)

⚠️ Security fixes

• Update the Jinja2 library due to a sandbox escape vulnerability (CVE-2025-27516).

Note: Since document templates can only be managed by Indico admins (unless granted to specific other trusted users as well), the impact of this vulnerability is considered low to medium, as it would require a malicious admin to abuse this e.g. to to read indico.conf data, which is otherwise only accessible to people with direct server access.

🎉 Improvements

• Add a new "Accepted by Submitter" state for editables when a submitter approved the changes proposed by the editor (#6185, #6186)
• Highlight editables in the editable list that have been updated since the last time they were viewed (#6500)
• Refresh the looks of the PDF timetable (#6554, #6558)
• Redact session cookie value in error emails (#6666)
• Allow creating a new local account during password reset if the user does not have one yet (#6688)
• Set session cookies with SameSite=Lax so they are not sent when Indico is embedded in a third-party iframe (#6690)
• Make the event export/import util much more flexible to support exporting whole category subtrees, add better support for dealing with files, and add various things that were not correctly exported before (#6446)
• Add a setting to limit the information room booking users can see for bookings not linked to them or their rooms (#6704)
• Add shortcuts to the past and closest events in a category (#6710)
• Improve the appearance of the date pickers (#6719, #6720, thanks @foxbunny)
• Add a new setting (ALLOW_ADMIN_USER_DELETION) to let administrators permanently delete Indico users from the user management UI (#6652, thanks @SegiNyn)
• Support ==text== to highlight text in markdown (#6731, #6732, #6767)
• Add an event setting to allow enforcing search before entering a person manually to a persons list in abstracts and contributions (#6689)
• Allow users to login using their email address (#6522, thanks @SegiNyn)
• Do not "inline" the full participant list in conference events using a meeting-style timetable and link to the conference participant list instead (#6753)
• Add new setting LOCAL_USERNAMES to disable usernames for logging in and only use the email address (#6751, #6810)
• Tell search engines to not index events marked as "invisible" (#6762, thanks @openprojects)
• Make the minimum length of local account passwords configurable, and default to 15 instead of 8 for new installations (#6629, #6740, thanks @amCap1712)
• Include submitter email in abstract PDF export (#3631, #6748, thanks @amCap1712)
• Remove anonymized users from local groups (#6738, thanks @SegiNyn)
• Add ACLs for room booking locations which can grant privileges on the location itself and/or all its rooms (#6566, thanks @SegiNyn)
• Support alternative names in predefined affiliations and make its search more powerful (#6758)
• Add setting to disallow entering custom affiliations when predefined affiliations are used (#6809)
• Log changes to event payment methods (#6739)
• Add button to select all rooms for exporting in the room list (#6773, thanks @Michi03)
• Include abstract details in comment notification email subject (#6449, #6782, thanks @amCap1712)
• Use markdown editor field in survey questionnaire setup (#6783, thanks @amCap1712)
• Use markdown editor field for contribution description (#6723, #6749, thanks @amCap1712)
• Allow resetting registrations back to pending in bulk (#5954, #6784, thanks @amCap1712)
• Allow to configure a restrictive set of allowed contribution keywords (#6778, thanks @tomako, @unconventionaldotdev)
• Add a log for user actions, similar to that in events and categories (#6779, #6813, thanks @tomako)

🐛 Bugfixes

• Fix error when using the "Request approval" editing action on an editable that does not have publishable files (#6186)
• Do not fail if a user has an invalid timezone stored in the database (#6647)
• Ensure the event name is correctly encoded to prevent issues with special characters in the share event widget (#6649)
• Fix sending emails if site name contains an @ character (#6687)
• Do not show country field description twice in registration forms (#6708)
• Do not show "other" document templates from deleted events/categories (#6711)
• Fix price display of choice fields in registration form (#6728, #6729)
• Fix error when creating a new room and setting attributes or equipment during creation (#6730)
• Fix the usage of select list scrollbar causing it to close immediately (#6735, #6736, thanks @foxbunny)
• Trigger event creation notification emails when cloning events (#6744)
• Fix image uploading not working when editing an existing note without having permissions to manage materials on the event level (#6760)
• Do not redirect to the ToS acceptance page when impersonating a user (#6770)
• Fix display issues after reacting to a favorite category suggestion (#6771)
• Include event labels in dashboard ICS export (#5886, #6372, #6769, thanks @amCap1712)
• Do not show default values for purged registration fields (#5898, #6772, #6781, thanks @amCap1712)
• Do not create empty survey sections during event cloning (#6774)
• Fix inaccurate timezone in the dates of the timetable PDF (#6786)
• Fix error with accommodation fields that have the "no accommodation" option disabled (#6812)
• Reset token-based links for correct user when done by an admin (#6814)

♿ Accessibility

• Make field validation error messages more accessible in the registration form (#6324, thanks @foxbunny)
• Implement a new date range picker and use it in the Room Booking module (#6464, thanks @foxbunny)
• Make main section title in the base layout the default bypass blocks target (#6726, thanks @foxbunny)
• Improve places selection accessibility in SingleChoiceInput (#6763, thanks @foxbunny)
• Improve places selection accessibility in MultiChoiceInput (#6764, thanks @foxbunny)
• Improve BooleanInput accessibility (#6756, thanks @foxbunny)
• Improve keyboard navigation order within the category list page (#6776, thanks @foxbunny)

🔧 Internal Changes

• Remove the marshmallow-enum dependency (#6701, #6703, thanks @federez-tba)
• Add new signals during signup email validation and login which can make the process fail with a custom message (#6759, thanks @openprojects)

⚠️ Security fixes

• Fix an open redirect during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, after which the user would be redirected to an external page instead of staying on Indico (thanks @GauthierGitHub)

🎏 Internationalization

• New translation: Japanese

🎉 Improvements

• Allow specifying "prev" and "next" as the date param on the category overview page to show the previous or next period relative to the current date (#6537)
• Add caching and rate-limiting (configurable via LATEX_RATE_LIMIT, and only applied to unauthenticated users) for endpoints that trigger LaTeX PDF generation (#6526)
• Log changes to registration form settings in the event log (#6544, thanks @vtran99)
• Improve conference participant list, especially when participants from multiple registration forms are shown separately (#6440, #6489)
• Include information about attached files in JSON export of abstracts (#6556)
• Take session program codes into account when sorting parallel sessions with the same start time in meeting timetable (#6575)
• Enforce browser-side caching of event logos and custom stylesheets (#6555, #6559)
• Default to banner-style (full width) logos in newly created conference events (#6572, thanks @OmeGak)
• Add email placeholder for the picture associated with a registration (#6580, thanks @vtran99)
• Allow setting placeholders for text fields in receipt templates (#6587)
• Add a new receipt template for Certificates of Attendance (#6587)
• Show correct repetition details for bookings repeating every n weeks (#6592)
• Show context (event/contribution title etc.) in the title of the minutes editor (#6584, #6591)
• Streamline "get next editable" UI and only show editables that still unassigned (#6583)
• Add preview link for custom text snippets in registration notification emails (#6539, #6560, thanks @moliholy, @unconventionaldotdev)
• Stop spoofing email sender addresses when using the SMTP_ALLOWED_SENDERS and SMTP_SENDER_FALLBACK config settings. Instead, the From address will be rewritten to the fallback whenever the requested address is not an allowed sender (#6231, thanks @SegiNyn)
• Allow alternative CSV delimiters everywhere when importing content from CSV files (#6607, thanks @moliholy, @unconventionaldotdev)
• Improve readability of room booking room statistics card (#6616)
• Add option to use flat zip file structure when downloading registration attachments (#6536, #6608, thanks @moliholy, @unconventionaldotdev)

🐛 Bugfixes

• Make picture field more resilient when uploading and resizing pictures close to the max upload file size (#6530, thanks @SegiNyn)
• Fix the order of the event classifications in edit mode (#6531, #6534)
• Fix an issue where scheduling a contribution on a day with an empty timetable would schedule it on the first day of the event instead (#6540, #6541)
• Fix error in unmerged participant list when the picture field is enabled and participant list columns have not been customized for that registration form (#6535)
• Fix breakage of the registration form dropdown field (and anything else using a custom element that uses ElementInternals) in older versions of Safari (#6549, thanks @foxbunny)
• Fix linebreak display in markdown code blocks in survey section descriptions (#6553)
• Include attached pictures when downloading registration attachments (#6564)
• Only allow marking unpaid registrations as paid (#6330, #6578)
• Do not allow mixing notification rules for invited abstracts with other rules (#6563, #6567)
• Use locale-aware price formatting in registration form fields (#6586)
• Handle badge designer items exceeding the canvas boundaries more gracefully (#6603, thanks @SegiNyn)

♿ Accessibility

• Improve country input accessibility (#6551, thanks @foxbunny)
• Reimplement Checkbox to make it programmatically focusable (#6528, thanks @foxbunny)
• Implement a RadioButton component to replace the SUI radio button in order to improve keyboard support (#6621, thanks @foxbunny)
• Improve keyboard accessibility of the timetable sessions field in registration form (#6639, thanks @foxbunny)

🔧 Internal Changes

• Make positioning logic from TipBase generic and reusable (#6577, #6588, thanks @foxbunny)
• Add additional signals related to videoconferences and their event links (#6475)
• Videoconference plugins now need to implement a delete_room method (#6475)
• Support translator comments when extracting translatable strings (#6620)
• renderAsFieldset option in the registration field registry can now be a function that returns a boolean (#6621, thanks @foxbunny)
• Allow overriding global theme settings for custom meeting themes (#6622)

⚠️ Security fixes

• Fix an XSS vulnerability during account creation. Exploitation requires initiating account creation with a maliciously crafted link, and then finalizing the signup process, so it can only target newly created (and thus unprivileged) Indico users. We consider this vulnerability to be of "medium" severity since the ability to abuse this is somewhat limited, but you should update as soon as possible nonetheless (GHSA-rrqf-w74j-24ff)

🎏 Internationalization

• New translation: Swedish

🎉 Improvements

• Allow cropping an existing picture in registration form picture fields (#6423, thanks @SegiNyn)
• Add task to delete old registration files when they become orphaned due to a new file being uploaded (#6434, thanks @SegiNyn)
• Allow searching for author names in editable lists (#6451)
• Add ability to filter editable lists by the parent session of the editable's contribution (#6453)
• Allow alternative CSV delimiters when importing registration invitations (#6458, thanks @moliholy, @unconventionaldotdev)
• A room's bookable hours can now be applied to specific weekdays, making it unbookable on any other weekdays (#6439)
• Add global settings for min/max registration form data retention periods (#6445, thanks @SegiNyn)
• Always open links in registration form field/section descriptions in a new tab (#6512)
• Preserve entered text when switching between commenting and judging in the editing module (#6503, #6502)
• Add quick setup button to configure default notifications in Call for Abstracts (#6454, thanks @jbtwist)

🐛 Bugfixes

• Fix display of empty session selection in registration summary (#6421, thanks @jbtwist)
• Include date when displaying session field data in registration summary (#6431, thanks @jbtwist)
• Fix the order of a day's session blocks in the registration form session field (#6428, thanks @jbtwist)
• Wrap overly long descriptions and filenames in registration form fields (#6436, thanks @SegiNyn)
• Fix validation error when clearing a date field in the registration form (#6470)
• Fix access error when a manager registers a user in a private registration form (#6486)
• Fix access error when a manager uploads files in a private registration form (#6487, thanks @vtran99)
• Improve color handling in badge designer (auto-add # for hex colors) (#6492)
• Do not count deleted rooms for equipment/attribute usage numbers (#6493, #6494)
• Allow deleting event persons which are linked to a deleted subcontribution (#6495)
• Fix validation error in registration form date fields when using Safari (#6474, #6501, thanks @foxbunny)
• Fix date picker month/year navigation not working in Safari (#6505, thanks @foxbunny)
• Enforce a minimum size on the registration form picture cropper to avoid sending an empty image after repeated cropping (#6498, thanks @jbtwist)
• Fix future events being always displayed after current events in categories while not logged in (#6509)

♿ Accessibility

• Improve registration form single choice input accessibility (#6310, thanks @foxbunny)

🔧 Internal Changes

• Indicate when a booking begins/ends in the booking calendar in day-based mode (when using a plugin to customize the room booking module) (#6414)
• Update the list of supported browsers so people using highly outdated browsers where certain features are likely broken get a warning about having to update their browser (#6442)
• Convert Room Booking splash image to WEBP (20x smaller file size) (#6468, #6465, thanks @bbb-user-de)
• Add support for TypeScript (and TSX) (#6456)
• Add <ind-combo-box> custom element (#6310, thanks @foxbunny)
• Add <ind-select> custom element (#6310, thanks @foxbunny)
• Indico and plugin wheels are now built using hatchling instead of setuptools, and package metadata is specified using pyproject.toml. Developers who want to build their own plugins need to switch from setup.py and/or setup.cfg to pyproject.toml as well (#6477)
• Prevent timetable entries with zero/negative durations (#6420)
• Warn when required indico.conf settings are missing or empty (#6504, thanks @OmeGak)

🎏 Internationalization

• New translation: Hungarian

🎉 Improvements

• Add dialog to contact event participants about a survey (#6069, #6144)
• Allow linking existing room booking occurrences to an event (#6243, thanks @moliholy, @unconventionaldotdev)
• Support including a picture (from a registration's picture field) in the conference participant list (#6228, thanks @vtran99)
• Add FAVICON_URL config option to set a custom URL for the favicon (#6323, thanks @SegiNyn)
• Allow filtering the contribution list in the management area by custom fields (#6213, #6214)
• Show "Go to timeline" button on the contribution page to everyone who can see the timeline of one of its editables instead of just submitters (#6344)
• Add a new "Timetable Sessions" registration form field type which allows selecting session blocks from the event (#6184, thanks @jbtwist)
• Link the event title to the event in registration emails (#6358)
• Add the option to make registration forms private so they can only be accessed using a secret link (#6321, thanks @vtran99)
• Add experimental support for creating Apple Wallet (Passbook / pkpass) tickets (opt-in via ENABLE_APPLE_WALLET indico.conf setting) (#6248, thanks @openprojects)
• Add a new event management permission that grants access only to the contributions module (#6348)
• Add bulk JSON export option in management contribution list (#6370)
• Make the default roles of the contribution person link list field more similar to the abstract person link list field when there is a linked abstract (#6342)
• Add option to hide person titles throughout the event (#38, #6104, thanks @vasantvohra)
• Preserve input when switching between judgment actions for an editable (#6375)
• Allow generating documents from the registration summary page (#6212, #6306, thanks @hitenvidhani)
• Modernize the event social share widget and add support for sharing to Mastodon (#6289)
• Enable the calendaring + social sharing widget in events by default (#6398)
• Ignore diacritics when searching in the registration form country field (#6403, thanks @tomako)
• Add preview option for managers to see the participant list as shown to registered participants or unregistered guests (#6052, thanks @vtran99)

🐛 Bugfixes

• Fix the dashboard iCal export returning old events instead of recent ones when the maximum number of events to include is reached (#6312)
• Fix an error in the Check-in app API wben retrieving details for a registration form that includes static labels (#6326)
• Fix action buttons being pushed outside the content area in the survey editor in case of very long survey option titles (#6325)
• Only allow accessing avatars for published registrations (#6347)
• Fix error when trying to import data from an unlisted event (#6350, #6351)
• Show results from the Get Next Editable search on top of the list (#6353)
• Attach registration pictures and display them inline when sending email notifications instead of just showing their filename (#6336, #6411, thanks @SegiNyn)
• Fix editable list filter storage being shared between different editable types and events (#6359)
• Fix UI breaking when performing bulk actions via the list of editables (#6369)
• Include registration documents in user data export (#6331, #6338)
• Fix error when viewing an abstract with reviews in deleted tracks (#6393)
• Do not include custom messages about the current registration status when sending notifications about new documents (#6413)
• Only normalize title slug in custom page URL after successful access check (#6416, #6417)

♿ Accessibility

• Improve registration form date picker accessibility (#6371, thanks @foxbunny)

🔧 Internal Changes

• Use unguessable URLs for user avatar pictures (#6346, thanks @vtran99)
• Add <ind-date-picker> custom element (#6371, #6406, thanks @foxbunny)
• Use native ESM for webpack config files (#6389)

🎉 Improvements

• Use more verbose page titles in management/admin areas (#6300)
• Prioritize exact matches when searching for users (#6254)
• Show document templates from non-parent categories and other events for cloning as long as the user has management access (#6232)
• Warn about conflicts from concurrent edits of minutes (#3410, #6193)
• Include up to two months (up from one week) of past events in dashboard iCal export (#6304)

🐛 Bugfixes

• Fix adding additional event keywords when some keywords have already been set (#6264, thanks @SegiNyn)
• Fix overlapping times in some room booking timelines when using a locale with a 12-hour time format (#6263)
• Fix error when printing badges referencing a linked regform picture field that contains no picture (#6276)
• Fix error when creating a reminder for exactly one week before the event (#6283)
• Fix error when unassigning the editor of an editable that has no editor (#6284)
• Fix error when judging an editable from the list of editables (#6284)
• Fix validation error when using a mailto: link in an email body (#6286)
• Clear the flags indicating that registrations or a registration form field have been purged when cloning an event (#6288)
• Use English locale when formatting dates for room booking log entries (#6295)
• Fix date validation in room booking failing in certain timezones

🔧 Internal Changes

• Allow plugins to fully replace the data in a ticket QR code with a custom string instead of just modifying/extending the JSON dict (#6266)
• Replace deprecated pkg_resources with importlib from standard library (#6272, #6273, thanks @maxnoe)

🐛 Bugfixes

• Fix sending emails when using TLS (SMTP_USE_TLS) (#6261)

⚠️ Linux versions & Python 3.12 🐍

This release moves from Python 3.9 to Python 3.12. 🐍
It also drops support for legacy (and nearly end-of-life) operating systems, in particular CentOS 7.

Because of this, make sure to read the 3.x to 3.3 upgrade guide if you plan to upgrade an existing instance.

If you need any help with the upgrade after reading the docs, don't hesitate to ask in our forum.

🏆 Major Features

• A new "Document Templates" module was added which supports the generation of fully customizable PDF documents for event participants such as receipts and certificates of attendance.
• The Room Booking module now supports recurring bookings that repeat on specific weekdays. For example, a room can be booked every Monday and Wednesday over a set period of time.
• Badge and ticket templates can now be linked to a registration form. This makes it possible to reference custom registration fields when creating the template.
• The existing Indico Check-in app has been completely rewritten as a PWA (Progressive Web App). Please note that the old Check-in app has been deprecated and is not compatible with the new version of Indico. The new app can be found here.
• A new badge/ticket setting has been added which, when enabled, makes it possible to print badges and/or tickets for accompanying persons in addition to the main registrant.
• Users can now export all their data stored in Indico. This includes personal data and any data they are linked to such as registrations, minutes and files uploaded to Indico.
• Users can now be anonymized in Indico; this means that all personal identifiers associated with a user will be removed from Indico, whilst only keeping the data that is required for Indico to function properly, in an anonymized manner. This operation can only be performed by Indico system administrators through the indico command-line interface.
• Administrators now have the option to require users to accept the Terms of Use during signup and after the terms have been updated.
• Event managers can require participants to accept the event's Privacy Policy when registering.
• Event tickets can now be added to Google Wallet using the new experimental Google Wallet integration. You can enable this feature using the ENABLE_GOOGLE_WALLET config setting and then configure it on the category level.
• The category calendar view has been improved with new week/day views and new filtering options for category, venue, room or keywords.
• Managers can now change the registration fee for selected registrations in bulk.
• Lots of new accessibility improvements, including improved keyboard navigation, better color contrast, and better screen reader support.

🎏 Internationalization

• New locale: English (Canada) (#6063, thanks @OmeGak)

🎉 Improvements

• Invalidate password reset links once the password has been changed (#5878)
• Add full ACLs for custom conference menu items, instead of just being able to restrict them to speakers or registrants (#5670, thanks @kewisch)
• Make editing timeline display much more straightforward (#5674)
• Allow event managers to delete editables from contributions (#5778, #5892)
• Allow room managers to add internal notes to bookings (#5746, #5791)
• Support generating tickets and badges for each of the registrant's accompanying persons (#5424)
• Add keyboard shortcut (CTRL-SHIFT-A) to toggle room booking admin override (#5909)
• Improve login page UI, allow overriding the logo URL (LOGIN_LOGO_URL config option) and using custom logos for auth providers (logo_url in the auth provider settings) (#5936, thanks @openprojects)
• Show only active registration counts on the registration form management dashboard, and add an inactive registration count to the registration list (#5990)
• Store creation date of users and show it to admins (#5957, thanks @vasantvohra)
• Add option to hide links to Room Booking system for users who lack access (#5981, thanks @SegiNyn)
• Support weekly room bookings that take place on multiple weekdays (#5829, #6000, #5806)
• Hide events marked as invisible from builtin search results unless the user is a manager (#5947, thanks @openprojects)
• Support sessions that expire at a certain date (specified by the used flask-multipass provider) regardless of activity when using an external login method (#5907, thanks @cbartz)
• Allow configuring future months threshold for categories (#2984, #5928, thanks @kewisch)
• Allow editors to edit their review comments on editables (#6008)
• Auto-linking of patterns in minutes (e.g. issue trackers, Github repos...) (#5998)
• Log editor actions in the Editing module (#6015)
• Grant subcontribution speakers submission privileges by default in newly created events (#5905, #6025)
• Stop overwhelmingly showing past events in the 'Events at hand' section in the user dashboard (#6049)
• Add document templates to generate PDF receipts, certificates, and similar documents for event participants (#751, #5060, #6246, #5123, #6078, #6250)
• Show which persons are external in the user search dialog (#6074)
• Add feature for users to export all data linked to them (#5757)
• Add Outlook online calendar button to share widget (#6075, #6077)
• Remove Facebook and Google+ share widgets and make Twitter share button privacy-friendly (#6077)
• Do not bother people registering using an invitation link with a CAPTCHA (#6095)
• Add option to allow people to register using an invitation link even if the event is restricted (#6094)
• Improve editing notifications emails (#6027, #6042, #6154)
• Add a picture field for registration forms which can use the local webcam to take a picture in addition to uploading one, and also supports cropping/rotating the picture (#5922, thanks @SegiNyn)
• Use a more compact registration ticket QR code format which is faster to scan and less likely to fail in poor lighting conditions (#6123)
• Add a legend to the category calendar, allowing to filter events either by category, venue, room or keywords (#6105, #6106, #6128, #6148, #6149, #6127, #6110, #6158, #6183, thanks @moliholy, @unconventionaldotdev)
• Allow to configure a restrictive set of allowed keywords (#6127, #6183, thanks @moliholy, @unconventionaldotdev).
• Add week and day views in the category calendar and improve navigation controls (#6108, #6129, #6107, #6110, thanks @moliholy, @unconventionaldotdev).
• Add the ability to clone privacy settings (#6156, thanks @SegiNyn)
• Add option for managers to change the registration fee of a set of registrations (#6132, #6138)
• Add setting to configure whether room bookings require a reason (#6150, #6155, thanks @moliholy, @unconventionaldotdev)
• Add a "Picture" personal data field to registrations. When used, it allows including the picture provided by the user on badges/tickets (#6160, thanks @vtran99)
• Support ~~text~~ to strike-out text in markdown (#6166)
• Add experimental support for creating Google Wallet tickets (opt-in via ENABLE_GOOGLE_WALLET indico.conf setting) (#6028, thanks @openprojects)
• Add option to exceptionally grant registration modification privileges to some registrants (#5264, #6152, thanks @Thanhphan1147)
• Add option to require users to agree to terms during signup or after they have been updated (#5923, #5925, thanks @kewisch)
• Add indico user delete CLI to attempt to permanently delete a user (#5838)
• Add indico user anonymize CLI to permanently anonymize a user (#5838)
• Add possibility to link room reservations to multiple events, session blocks and contributions (#6113, #6114, thanks @OmeGak, @unconventionaldotdev)
• Store editable list filters in the browser's local storage (#6192)
• Take visibility restrictions into account in the atom feed (#5472, thanks @bpedersen2)
• Allow linking badge templates to registration forms in order to use custom fields in them (#6088)
• Allow filtering the list of editables by tags (#6195, #6197)
• Warn users with a dialog before their session expires and let them extend it (#6026, thanks @SegiNyn)

🐛 Bugfixes

• Prevent room booking sidebar menu from overlapping with the user dropdown menu (#5910)
• Allow cancelling pending bookings even if they have already "started" (#5995)
• Disallow switching the repeat frequency of an existing room booking from weekly to monthly or vice versa (#5999)
• Ignore deleted fields when computing the number of occupied slots for a registration (#6035)
• Show the description of a subcontribution in conference events (#5946, #6056)
• Only block templates containing a QR code via is_ticket_blocked (#6062)
• Use custom map URL in event API if one is set (#6111, thanks @stine-fohrmann)
• Use the event timezone when scheduling call for abstracts/papers (#6139)
• Allow setting registration fees larger than 999999.99 (#6172)
• Populate fields such as first and last name from the multipass login provider (e.g. LDAP) during sign-up regardless of synchronization settings (#6182)
• Hide redundant affiliations tooltip on the Participant Roles list (#6201)
• Correctly highlight required "yes/no" registration form field as invalid (#6109, #6242)
• Include comments in the Paper Peer Reviewing JSON export (#6253)
• Fail with a nicer error message when trying to upload a non-UTF8 CSV file (#6085, #6259)
• Do not include unnecessary user data in JSON exports (#6260)

♿ Accessibility

• Include current language in page metadata (#5894, thanks @foxbunny)
• Make language list accessible (...