You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Custom SNI support for stunnel/wstunnel anti-censorship connections.
Cross-platform diagnostics for API connectivity login failures so logs can better distinguish DNS, routing, proxy, IPv4/IPv6, and local security-policy failures.
Improved
The Windows IKEv2 connector. A complete rewrite of the code to improve connection setup speed and connection robustness.
Anti-censorship startup and failover by supporting parallel backup domain testing in wsnet.
Firewall behavior consistency across platforms and firewall modes.
Linux firewall implementation by replacing iptables shell calls with libnftables.
Linux split tunneling so non-tunneled apps can preserve ISP IPv6 on native dual-stack networks while tunneled apps remain leak-protected.
Always On/Always On+ firewall handling with Allow LAN Traffic by disabling risky LAN allowance on mode enable and warning when LAN traffic is explicitly re-enabled.
macOS installer/update code paths and installer flow.
Linux firewall/routing fwmark handling by centralizing fwmark use and avoiding incorrect WireGuard mark behavior.
Hardening for elevated executables using Windows process mitigation APIs where applicable.
Windows compiler and linker security hardening, including Control Flow Guard and related mitigation settings.
Windows build targeting to Windows 10 2004 so newer Windows APIs can be used without changing the minimum install version.
Split tunneling error handling so startup failures can show the usual Split Tunneling failed alert on macOS.
Objective-C memory management consistency by enabling ARC uniformly across the project.
CLI-only behavior by automatically watching config file changes instead of requiring windscribe-cli preferences reload.
Dependency build integrity by pinning or verifying wstunnel and AmneziaWG prebuilt source dependencies.
Fixed
Security audit findings covering macOS signature validation, Windows WireGuard config permissions, local IPC robustness, AmneziaWG input validation, and sensitive logging paths.
Static IP OpenVPN/TCP connections prompting for credentials instead of supplying stored Static IP credentials internally.
Remembered credentials for external .ovpn custom configs not being persisted immediately across restart/reboot.
Polish free-data counter text overlapping the upgrade CTA and locations-list chevron.
Hashed-login failures caused by user accidentally including leading/trailing whitespace in their input.
WireGuard connection mode unavailable when Always On+ firewall mode is enabled and cached WireGuard connection information is available.
c-ares Windows DNS server detection regression that could leave only 127.0.0.1:53 and cause DNS resolution failures.
The Windscribe service getting stuck in the stop pending state when a stop is requested while the desktop app is running on Windows.
A possible crash when enabling Secure Hotspot after connecting the VPN on Windows.
A rare crash when launching at startup before macOS screen information is available.
Linux firewall block rule ordering so Windscribe's kill-switch block path takes precedence over UFW/third-party allow rules.
openSUSE Tumbleweed RPM install failure related to the libcap-progs dependency path.
Allow LAN traffic not applying correctly to IPv6 LAN and multicast traffic while connected on Windows.
Missing warning when split tunneling is enabled while the macOS split tunneling extension has been manually disabled.
Allow LAN traffic IPv6 behavior on macOS so ULA and multicast traffic are blocked on the VPN interface while remaining reachable on the physical LAN.
Updated
cURL to 8.21, c-ares to 1.34.7, OpenVPN to 2.7.5, OpenSSL to 4.0.1, and wsnet to 1.5.27 for security updates.
Package signing and update authenticity hardening for supported Linux packages.
Improved
App hardening from the Fable 5 audit, including WireGuard key validation, Control D API key log redaction, IPC exposure hardening, safer logging, installer argument redaction, and package/dependency handling fixes.
Windows helper IPC parameter validation to reduce local IPC attack surface.
Linux helper IPC/API hardening after EGL gid-check bypass review.
Windows IKEv2 connector stability to mitigate possible crashes.
macOS builds against Xcode 26.5 and enabled ARC for client-common Objective-C++ code.
Proxy Gateway privacy by no longer logging blocked destinations for HTTP and SOCKS gateway requests.
IP Stack preference wording to clarify it applies to WireGuard only.
Preferences title casing consistency.
Sign Up screen helper text styling under the Password and Email fields.
JSON/INI import consistency for proxy sharing and MAC spoofing settings.
Debug logs by removing false positives that could mislead automated log analysis on Windows.
Russian and Ukrainian translations in the desktop app, installer, and CLI from GitHub user WkdXeqtr.
Belarusian translations in the desktop app, installer, and CLI from GitHub user dubovy-achvelak.
Fixed
DLL planting vulnerability in the Windows bootstrapper and uninstaller.
Windows installer/updater staging TOCTOU allowing the privileged helper to copy from a different source path than the one it validated.
Local privilege escalation security vulnerability from app retaining SETGID capability after group switch on Linux.
Possible local privilege escalation chain involving external-link opening and OpenVPN directive validation bypass.
OpenVPN custom config filtering to handle embedded NULL/control characters consistently and reject unsafe directives.
OpenVPN custom config parsing to prevent commented-out route-nopull / route-noexec text from disabling automatic firewall handling.
IPv6 connection modes for WireGuard locations that support IPv6.
OpenVPN DCO support when the ovpn-dco-v2 module is available on Linux.
Public IP address to windscribe-cli status output, including split tunnel mode.
Improved
OpenVPN anti-censorship support by replacing the custom junk packet implementation with Amnezia-compatible Junk and I packet options.
OpenVPN custom config filtering for connection blocks and unsafe custom config paths.
Proxy Gateway security by blocking proxied connections to localhost, LAN, and link-local destinations, and adding authentication for shared proxy access.
Custom config directory security checks to run without elevation and correctly detect directories writable by other users.
Flatpak app split tunneling by matching Flatpak app IDs instead of relying only on executable/command name matching.
Windows installer handling when the Base Filtering Engine service is stopped, unavailable, or blocked by security software.
JSON/INI import consistency for proxy sharing and MAC spoofing settings.
Connection manager connector internals for maintainability without changing connection behavior.
Dependency build tooling security by using safe YAML config loading.
Validation for settings.
Helper file handling and permissions on macOS and Linux.
Helper reliability when reporting system errors on macOS and Linux.
Fixed
Possible local privilege escalation in the bootstrapper temporary extraction flow on Windows.
Possible local privilege escalation in the auto-updater signature verification and launch flow on Windows and macOS.
VPN sharing proxy relay buffering that could duplicate queued socket data or grow memory usage with slow peers.
Some OpenVPN custom configs being rejected.
HTTP Proxy Gateway forwarding proxy authentication credentials to destination websites.
A possible crash when downgrading from 2.23 to an older version.
Auth token parse failures logging the raw API response, which could expose session token data in debug logs.
Helper IPC frame parsing to reject malformed or oversized messages safely on Windows and Linux.
Exported preferences not preserving the DNS Manager option on Linux.
Migration of legacy Flatpak split tunneling entries so existing rules continue to work.
Generated OpenVPN config files and runtime directories using overly broad permissions that could expose VPN key material to local users on macOS and Linux.
stunnel/wstunnel relay listeners binding to all interfaces instead of loopback only on macOS and Linux.
Updated
Qt to 6.11.1.
OpenVPN to 2.7 with handling for management output changes, Windows DCO/TAP behavior, and Stealth/WStunnel disconnect behavior.
OpenSSL 4.0.
WireGuard for Windows to the latest 1.0 release.
Bundled wstunnel binaries to the latest available release.