Mark 3.8.0 (#2832)

# 3.8.0 / 2025-09-04

**General**

- Admins can now configure whether users can see their past submissions
- Admins can now store challenge solutions within CTFd to be viewed by users
- Participants can now leave upvotes/downvotes on challenges as well as their review of a challenge
  - Ratings/Votes can be configured to be viewed by participants or only admins
  - Reviews are only visible by admins
- Challenges now have the `logic` field which allows for challenge developers to control the flag collection behavior of a challenge:
  - `any`: any flag is accepted for the challenge
  - `all`: all flags for the challenge must be submitted
  - `team`: all team members must submit any flag
- Max Attempts can now behave as a timeout instead of a lockout
  - For example a user who submits 3 attempts will then be prevented from submitting another attempt for 5 minutes instead of being unable to submit entirely
- Social Shares for challenge completion are now enabled by default and admins may now control the social share template page
- Additional attempts after solving on challenges will now show if the submissions is correct/incorrect
- If email sending is available, email confirmation is enabled by default and users are nudged to complete email verification.
- Hints can now have a title that is shown before unlocking
- Hints now always require unlocking even if they require no cost
  - Prevents accidental viewing and improves tracking of hint usage
- CTFd will now store a tracking event under `challenges.open` in the Tracking table when a challenge is opened for the first time by a user
- Challenges now report whether a flag is correct or incorrect even if the challenge has already been solved
- Fixes issue where admins could not download challenge files before CTF start when downloading anonymously

**Admin Panel**

- Added a matrix scoreboard to the Statistics page to show player progression through the CTF
- Added support for brackets in the Admin Panel scoreboard
- Added config option for minimum password length
- Added config option to control whether players can view their previous submissions
- Admins can now require users to change their password upon login
- Added config option to control Max Attempts behavior
- In the Admin Panel challenge preview, admins now only see free hints
- Fixed issue where the hint form was not resetting properly when creating multiple hints

**API**

- Added `/api/v1/users/me/submissions` for users to retrieve their own submissions
- Added `/api/v1/challenges/[challenge_id]/solutions` for users to retrieve challenge solutions
- Added `/api/v1/challenges/[challenge_id]/ratings` for users to submit ratings and for admins to retrieve them
- Added `ratings` and `rating` fields to the response of `/api/v1/challenges/[challenge_id]`
- Added `solution_id` to the response of `/api/v1/challenges/[challenge_id]`
  - If no solution is available, the field is `null`
- Added `logic` field to the response of `/api/v1/challenges/[challenge_id]`
- Added `change_password` field to `/api/v1/users/[user_id]` when viewed as an admin
- Added `/api/v1/solutions` and `/api/v1/solutions/[solution_id]` endpoints
- `/api/v1/unlocks` is now also used to unlock solutions for user viewing

**Deployment**

- Added `PRESET_ADMIN_NAME`, `PRESET_ADMIN_EMAIL`, `PRESET_ADMIN_PASSWORD`, and `PRESET_ADMIN_TOKEN` to `config.ini` for pre-creating an admin user
  - Useful for automated deployments and ensuring a known admin token exists
- Added `PRESET_CONFIGS` to `config.ini` for pre-setting server-side configs
  - Useful for configuring CTFd without completing setup or using the API
- Added `EMAIL_CONFIRMATION_REQUIRE_INTERACTION` to `config.ini` to require additional interaction for email confirmation links
  - Improves compatibility with certain anti-phishing defenses
- Email confirmation is now enabled whenever email sending is available
- Replaced `pybluemonday` with `nh3` (due to breakage in Python modules written in Golang)
- Updated Flask to 2.1.3
- Updated Werkzeug to 2.2.3

**Plugins**

- Challenge Type Plugins should now return a `ChallengeResponse` object instead of a `(status, message)` tuple
  - Existing behavior is supported until CTFd 4.0
- Added `BaseChallenge.partial` for challenge classes to indicate partial solves (for `all` flag logic)

**Themes**

- The `core-beta` theme has been promoted to `core`
  - The `core-beta` repo has been replaced with the [core-theme repo](https://github.com/CTFd/core-theme). Future changes should be made there
- The previous `core` theme has been deprecated and renamed `core-deprecated`

Mark 3.7.7 (#2747)

# 3.7.7 / 2025-04-14

**General**

- Added ability to denylist/blacklist email domains from registering
- Hints can now include an optional title that is shown to users before unlocking

**Admin Panel**

- Challenge files now show the stored sha1sum

**Deployment**

- Fixed issue where the `/api/v1/scoreboard/top/<count>` endpoint wouldn't cache different count values properly
- The `/api/v1/scoreboard/top/<count>`endpoint will now return at most the top 50 accounts
- Updated gunicorn to 23.0.0
- Updated Jinja2 to 3.1.6

Mark 3.7.6 (#2710)

# 3.7.6 / 2025-02-19

**Security**

- Added the `TRUSTED_HOSTS` configuration to more easily restrict CTFd to valid host names

**General**

- Added language switcher on the main navigation bar
- Removed autocomplete=off from login, register, and reset password forms

**Plugins**

- Challenge type plugins can now raise `ChallengeCreateException` or `ChallengeUpdateException` to show input validation messages
- Plugins specifying a config route will now appear in the Admin Panel under the Plugins section

**Translations**

- Add Romanian, Greek, Finnish, Slovenian, Swedish languages

Mark 3.7.5 (#2686)

# 3.7.5 / 2024-12-27

**Security**

- Change confirmation and reset password emails to be single use instead of only expiring in 30 minutes

**General**

- Fix issue where users could set their own bracket after registration
- If a user or team do not have a password set we allow setting a password without providing a previous password confirmation
- Fix issue where dynamic challenges did not return their attribution over the API
- Language selection is now available in the main theme navigation bar

**Admin Panel**

- A point breakdown graph showing the amount of challenge points allocated to each category has been added to the Admin Panel
- Bracket ID and Bracket Name have been added to CSV scoreboard exports
- Fix issue with certain interactions in the Media Library

**API**

- Swagger specification has been updated to properly validate
- `/api/v1/flags/types` and `/api/v1/flags/types/<type_name>` have been seperated into two seperate controllers

**Deployment**

- IP Tracking has been updated to only occur if we have not seen the IP before or on state changing methods
- Bump dependencies for `cmarkgfm` and `jinja2`

Mark 3.7.4 (#2621)

# 3.7.4 / 2024-10-08

**Security**

- Validate email length to be less than 320 chars to prevent Denial of Service in email validation

**General**

- Add attribution field to Challenges

**Admin Panel**

- Display brackets in the Admin Panel

**Themes**

- Display brackets for users/teams on listing pages and public/private pages
- Fix miscellaneous issues in core-beta
- Adds dark mode to core-beta theme
- Fix issue with long titles in challenge buttons
- Adds `type` and `extra` arguments to `Assets.js()` and default `defer` to `False` as `type="module"` automatically implies defer
- ECharts behavior for some graphs in core-beta can now be overriden using the following window objects `window.scoreboardChartOptions`, `window.teamScoreGraphChartOptions`, `window.userScoreGraphChartOptions`
- Update the scoreboard score graph to reflect the current active bracket changes

**Deployment**

- Add `.gitattributes` to keep LF line endings on .sh files under Windows
- Fix issues where None values are not cast to empty string
- Bump dependencies for `pybluemonday`, `requests`, and `boto3`

Mark 3.7.3 (#2576)

* Mark 3.7.3

* Add changelog date

Mark 3.7.2 (#2559)

Mark 3.7.1 (#2549)

# 3.7.1 / 2024-05-31

**Admin Panel**

- The styling of the Config Panel has been updated to better organize different settings
- When switching user modes via the Admin Panel, all teams will now be removed
- Fix issues where importing CSVs comprised of JSON entries would fail
- Add `serializeJSON` function back into the Admin Panel

**API**

- The `/api/v1/exports/raw` API endpoint has been added to allow for exports to be generated via the API
- Update the ScoreboardDetail endpoint (`/api/v1/scoreboard/top/<count>`) to return account URL, score, and bracket
- Add a query parameter to ScoreboardDetail endpoint (`/api/v1/scoreboard/top/<count>`) to filter by bracket
- Return `function` field for DynamicValue challenges data read

**General**

- Add Italian and Vietnamese languages
- Switch to Crowdin for translations

**Themes**

- Add `defer` parameter to `Assets.js()` to allow controlling the defer attribute of inserted `<script>` tags

**Plugins**

- Plugins can now define a `config` entry in `config.json` to define a template to embed into the Config Panel
- Add the `make_cache_key_with_query_string` to allow for caching based on query string arguments

**Deployment**

- MariaDB version provided in docker-compose.yml has been updated to `10.11`
- Static assets (theme files, static files) will now return a Cache-Control header with a `max-age` of 3600
- Add the `/debug` endpoint to show CTFd debugging information
  - Currently showing the IP address that CTFd is seeing for the request and the request headers
  - `/debug` will only be enabled if the `SAFE_MODE` config is enabled

Mark 3.7.0 release date (#2480)

Mark 3.6.1 (#2438)

# 3.6.1 / 2023-12-12

**Security**

- Fix an issue where users could bypass Score Visibility and see a user's score/place when not allowed by Admins

**General**

- Add Slovak, Japanese, Brazillian Portugese translations
- Update Chinese translation
- Fix Dynamic challenges not showing the Next Challenge

**API**

- Add `email` as a `field` to query to `/api/v1/users` and `/api/v1/teams` to allow searching via email address for Admins
- Accept multipart/form-data with token auth for file upload to `/api/v1/files`
- Always allow a user/team to see their own score when querying their own self endpoints regardless of Score Visibility
  - A user can always calculate their score regardless of any setting because they can simply sum all of their challenges

**Admin Panel**

- Fix an issue where polymorphic tables (i.e. solves) could not be CSV exported correctly

**Themes**

- When using core-beta, `meta` tags can now be inserted into pages from render_template calls

**Deployment**

- Fix an issue where S3 uploads would not work if the server's timezone was not set to UTC
- Update gevent dependency to `23.9.1`