Release notes

Accessible summary of WSA major versions.

This page summarizes WSA's major versions in accessible terms. For the complete technical details of each release (code changes, exact fixes, internal migrations), see the RELEASE.md in the source repository.

Version 2.3.1 — June 17, 2026

🔒 Security & reliability release. nginx 1.30.3 (two CVEs), a hardened install/update chain, and a faster, safer install that no longer compiles Brotli.

What changes

nginx 1.30.3 (CVE-2026-42055, CVE-2026-48142) — the pinned HTTP/3 nginx is updated to 1.30.3, fixing two heap-memory vulnerabilities: a buffer overflow when proxying a crafted request to an HTTP/2 or gRPC backend, and a buffer overread via the charset_map directive. The downloaded source is now PGP-verified against nginx's official signing key when the version is pinned.
Hardened install & update chain — following a complete security audit of the module, the install and update paths were tightened: the component that verifies update signatures is now integrity-locked (it can no longer be swapped over the network), an old unverified update path was removed, and a local privilege-escalation case was closed. Transparent — nothing to do.
Faster, safer install — Brotli is no longer built during installation. A fresh install now only deploys and enables WSA. Brotli is built on demand afterward, from WHM → Nginx Build & Modules (or wsa --nginx-install=brotli). This removes the longest, most failure-prone step from the installer.
A mismatched Brotli module can no longer take nginx down. If the Brotli module on disk was built for a different nginx than the one running (e.g. after an nginx upgrade), WSA now skips loading it instead of letting nginx -t fail — your sites stay online until you rebuild Brotli.

Who is affected

All servers receive the security and reliability improvements on update — no action needed.
HTTP/3-build servers (EL 9 / EL 10 with QUIC): the dashboard will flag the HTTP/3 build as Rebuild needed for nginx 1.30.3.
New installs no longer prompt for Brotli during setup; build it from WHM whenever you want it (the --with-brotli / --skip-brotli install flags are gone).

Updating

Servers with Auto Update enabled receive the update within 24 hours. To apply now:

/etc/wsa/wsa --update --verbose
/etc/wsa/wsa --rebuild-forced --verbose
# HTTP/3 build servers, to compile against 1.30.3:
/etc/wsa/wsa --http3-rebuild --verbose

Version 2.2.15 — June 15, 2026

🖼️ Fix: newsletter images blocked in Gmail. A new trusted-proxy allowlist exempts Gmail's image proxy — and any other first-party proxy you trust — from bot protection.

What changes

Gmail image proxy is allowed by default — When a recipient opens an HTML newsletter in Gmail, Google loads every image through its image proxy (GoogleImageProxy), which presents an old "Windows XP / Firefox 11" User-Agent. That User-Agent matched the Fake User-Agents blocking rule, so the images were rejected with a 444 and did not display in Gmail inboxes. WSA now ships a trusted-proxy allowlist that exempts GoogleImageProxy from every bot-protection category, so newsletter images load again.
Editable in WHM — A new Trusted proxy allowlist appears on the Nginx Configuration → Bot Protection tab: a master On/Off toggle plus an editable token list, pre-filled with GoogleImageProxy. Add other legitimate proxies or fetchers as needed (e.g. FeedFetcher-Google).
Safe by design — Tokens are matched as case-insensitive literal substrings; the allowlist only bypasses bot protection, never the rate-limit volume controls (a User-Agent is trivially spoofed). To switch the allowlist off entirely, use its master toggle — clearing the list alone reverts to the shipped GoogleImageProxy default.

Who is affected

Servers with Bot Protection enabled (the Fake User-Agents category is on by default) that host HTML email newsletters: the Gmail rendering fix applies as soon as the new configuration is generated. No action needed — GoogleImageProxy is allowed out of the box.
Operators who want to allow additional first-party proxies can edit the list in WHM → Nginx Configuration → Bot Protection.

Updating

Servers with Auto Update enabled receive the update within 24 hours, after which a configuration rebuild applies the allowlist. To apply now:

/etc/wsa/wsa --update --verbose
/etc/wsa/wsa --rebuild-forced --verbose

Version 2.2.3 — May 22, 2026

🔒 Security release. Bumps the pinned HTTP/3 nginx version to 1.30.2.

What changes

nginx 1.30.2 (CVE-2026-9256) — fixes a heap memory buffer overflow in a worker process when using a configuration with overlapping captures in ngx_http_rewrite_module. The vulnerability could potentially allow arbitrary code execution. Discovered and reported by Mufeed VH of Winfunc Research.

Who is affected

Servers running the WSA custom HTTP/3 build (EL 9 / EL 10 with QUIC enabled): update recommended as soon as possible.
Servers running the stock nginx RPM: the upgrade is handled separately via your distribution's package manager — WSA's Upgrade nginx button (WHM → Nginx Build & Modules) will detect the new version automatically.

Updating

Servers with Auto Update enabled receive the new pin within 24 hours. Once the pin lands, the dashboard will flag the HTTP/3 build as Rebuild needed — click Rebuild on the Nginx Build & Modules page (or wsa --http3-rebuild --verbose from CLI) to compile against 1.30.2.

To force the WSA module update now:

/etc/wsa/wsa --update --verbose
/etc/wsa/wsa --http3-rebuild --verbose

Version 2.2.0 — May 2026

🚀 First stable release of the 2.2 series. Complete WHM interface overhaul and bot protection layer redesign.

What changes for administrators

New WHM dashboard — All important information (cache status, nginx version, installed modules, bot blocking statistics, problematic accounts) is now gathered on a single landing page. No more navigating between 5-6 menus to diagnose a problem.
Account inventory — List of all cPanel accounts with their current cache profile, integrated filter and search. Bulk application of profiles (Default/None/Custom) to dozens of accounts in one click. CSV export for billing or documentation.
Nginx Build & Modules page — Centralized management of the nginx binary: choose between the standard RPM package and the WSA custom build (with HTTP/3), Brotli rebuild, comparison of pinned versions vs installed versions.
Live visual validation — All configuration fields now validate input on the fly (red border, help tooltip) rather than only at save time.
Restore defaults — Each option now displays its default value next to the field, with a ↺ button to return to the default in one click.

What changes for cPanel customers

Expanded bot categories — Bot protection grows from 4 to 8 categories. AI is now split between search assistants (allowed by default — they help your visitors), user tools (allowed — triggered by a human), and training crawlers (blocked — they consume resources without benefit).
Per-subdomain editing — You can now customize the cache for each subdomain independently, without touching the main domain.
Custom bot lists per domain — You can add or remove specific bots from the block list, on just one of your domains, without affecting the others.
Empty list warning — If you block a bot category but empty the list, a message explains that the empty list does NOT mean "block nothing" — use Allowed for that.

Notable bug fixes

Functional action buttons — The "Rebuild Nginx conf", "Restart Nginx", "Clear all caches", and "Disable WSA" buttons on the WHM dashboard no longer "fell" silently without doing anything.
Live HTTP/3 activation feedback — When an administrator enables QUIC emission, the vhost rebuild output is now visible in real time (before: page blocked 60 seconds with no feedback).
WSA icon in cPanel — On fresh installs, the WSA icon appears immediately in the cPanel applications list (before: could require manual intervention after install).
Cache utilization — On multi-tenant servers with per-user cache, the "Cache Utilization" tile on the dashboard now shows real usage (before: always 0 even with 600+ cached sites).
Strengthened security — Regex validation server-side on all bypass lists (URI, cookies, User-Agents). No injection possible via configuration.

Updating

Updating to 2.2.0 requires no intervention. No site is affected. No setting is lost — existing configurations are automatically migrated to the new interface format.

Servers that enabled Auto Update will receive the update automatically within 24 hours. To force now:

/etc/wsa/wsa --update --verbose

Version 2.1 — April-May 2026

Series of incremental releases that brought:

Bot Protection v2 — Complete overhaul of blocked User-Agent management (per-domain editing, fine granularity per AI category).
HTTP/3 recovery banner — Automatic detection when a dnf update replaces the WSA HTTP/3 binary with the standard package, with rebuild prompt.
EL 10 support — Compatibility with AlmaLinux 10, Rocky Linux 10, and RHEL 10.
ABI drift detection — Automatic detection of nginx ABI changes that would invalidate the Brotli module, with rebuild prompt.

Version 2.0 — March 2026

First release with HTTP/3 (QUIC) support:

Build of a custom nginx binary with --with-http_v3_module from official sources + QuicTLS.
SHA256 verification of downloaded tarballs (security).
Per-vhost QUIC enable and disable via WHM.
Automatic UDP/443 port opening (CSF or firewalld).

Version 1.5 — Late 2025

Integrated Brotli compilation — Brotli is now compiled as a dynamic nginx module directly by WSA, without depending on a third-party RPM package.
dnf monitoring — Daily detection of new nginx versions available via dnf, with update prompt from WHM.

Version 1.4 — Summer 2025

Bot Protection v1 — First version of User-Agent filtering: 4 categories (AI, scanners, SEO, no-agent), global configuration via WHM, log of blocked requests.

Version 1.3 — Spring 2025

Per-user cache (induser_enable) — Each cPanel account gets its own cache zone, isolated from others. Improves multi-tenant fairness and cookie-based bypass.
Revamped advanced mode — The cPanel panel moves from a monolith to clear tabs (Basic, Bot Protection, Dynamic, JS/CSS, Images & Fonts).

Older versions

For details of versions 0.x to 1.2, see the historical RELEASE.md in the repository. Major items:

1.x — Stabilization, EL 8 support, EasyApache 4 integration.
0.x — Early versions, EL 7 support, initial cPanel integration, AutoSSL-based ports.

Support policy

Major version	Active support	Security fixes
2.3.x	✅ active development	✅
2.2.x	✅ fixes only	✅
2.1.x	⚠️ critical fixes only	✅
2.0.x	⚠️ critical fixes only	✅
1.x	❌ end of support	❌

Servers running 1.x should migrate to the 2.x branch. The update is risk-free — all existing configurations are preserved.

Release notes

Version 2.3.1 — June 17, 2026

What changes

Who is affected

Updating

Version 2.2.15 — June 15, 2026

What changes

Who is affected

Updating

Version 2.2.3 — May 22, 2026

What changes

Who is affected

Updating

Version 2.2.0 — May 2026

What changes for administrators

What changes for cPanel customers

Notable bug fixes

Updating

Version 2.1 — April-May 2026

Version 2.0 — March 2026

Version 1.5 — Late 2025

Version 1.4 — Summer 2025

Version 1.3 — Spring 2025

Older versions

Support policy

Further reading