[1.9.0] Update 2FAuth to 6.1.1 Full Changelog issue #​532 Unable to create new entries via the Advanced Form MR #​526 Chinese Traditional translation, thanks to @​olivertzeng MR #​527 Allow pasting on upload page to add QR codes easily, thanks to @​moritzuehlingo BLOCK_OPTAUTH_IMAGELINK_FETCHING: Enable or disable fetching of resources linked in the imagelink parameter of OTPauth URIs encoded in QR codes (doc). THROTTLE_API_DURING_IMPORT: Specific rate limite for API calls made by the Import feature to prevent 429 error during large import (doc, #​522). Mitigate blind SSRF by adding URL validation before imagelink resources are fetched (thx @​DenizParlak). This comes with the new BLOCK_OPTAUTH_IMAGELINK_FETCHING env var, which is set to true by default. Installation fails due to CVE-2025-45769 in transitive dependency firebase/php-jwt < 7.0.0 (via laravel/passport) (thx @​MickLesk) [issue #​509] manifest.json cannot be accessed through a reverse proxy [issue #​516] Local iconsPack is greyout - cant be selected for item [issue #​517] Typo: "recommanded" instead of "recommended"

[1.7.1] Update Ackee to 3.5.1 Full Changelog Several dependencies have been updated to their latest versions to bring in security patches and improvements ackee-tracker has been updated to fix an issue where visits were not recorded when the website had an empty document.referrer. You might have seen lower visit counts since version 3.5.0 when your website had no referrer, e.g., when visiting it directly or via bookmarks.

[1.23.0] Update actual to 26.3.0 Full Changelog Compare Source View release notes

[1.14.12] Update AdGuardHome to 0.107.73 Full Changelog Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources. Incorrect client IP logging in failed authentication attempts when using a proxy ([#​8198]). Incorrect logger behavior in case -v flag is added.

This look like a good replacement for Alltube (which we were using) https://github.com/alexta69/metube

[1.25.1] Update ampache to 7.9.1 Full Changelog Translations 2026-02-20 Config version 87 Add cli_no_color to disable colors for cli output Add user_create_apikey to add an API Key to the account when a new user is created admin:updateUser: Reset user API key, Stream token, RSS token and access level admin:listUsers: Add -a|--apikey parameter to print the user API key admin:listUsers: Only print user from username or user id. If both are set use username Return an error when all items in scrobble call are not found Custom CSS path folder MPD status incorrectly stopping processes

[1.7.0] Update answer to 2.0.0 Full Changelog New: AI Assistant feature (@​shuashuai @​LinkinStars #​1479) New: MCP server feature (@​LinkinStars @​shuashuai #​1480) New: API Keys feature (@​LinkinStars @​shuashuai #​1482) New: Editor plugin support (@​robinv8 #​1481) Fixed: Add user in the Admin, no result prompt after submission (@​bimakw #​1457) Fixed: Fix/external id notification (@​IfDougelseSa #​1465) Fixed: fix: expand avatar column length from 1024 to 2048 (@​csouls #​1463) Fixed: When the input type of SchemeForm is a number, the default value of 0 is not displayed.@​shuashuai

@girish I understand. Thanks!

Hello @andreasdueren Thanks for the report. Fixing it right now.

[1.97.1] Update audiobookshelf to 2.33.1 Full Changelog API Keys not respecting user enabled/disabled flag Podcast episode update endpoint sanitizes HTML for subtitle Playlist & collection create/update endpoints strip HTML tags from name More strings translated Belarusian by @​pavel-miniutka German by @​fabianjuelich Spanish by @​cyphra

Thanks for reporting here @gardinermichael . We have in fact hidden the app package because there were many issues with it and we couldn't manage to get it to be stable . Maybe we should revisit this.

[1.36.1] Update uv to 0.11.1 Full Changelog Add missing hash verification for riscv64gc-unknown-linux-musl (#​18686) Fallback to direct download when direct URL streaming is unsupported (#​18688) Revert treating 'Dynamic' values as case-insensitive (#​18692) Remove torchdata from list of packages to source from the PyTorch index (#​18703) Special-case == Python version request ranges (#​9697)

[1.6.3] Update beszel to 0.18.4 Full Changelog Add outbound heartbeat monitoring to external services by @​amirhmoradi in #​1729 Add experimental GPU monitoring for Apple Silicon by @​raccettura. (#​1747, #​1746, docs) Add nvtop integration for GPU monitoring. (#​1508) Add GPU_COLLECTOR environment variable to manually specify the GPU collector(s). SMART: add eMMC health via sysfs by @​VACInc in #​1736 Add DISABLE_SSH environment variable to disable SSH agent functionality. (#​1061) Add fingerprint command to the agent. (#​1726) Include GTT memory in AMD GPU metrics and improve device name lookup. (#​1569) Improve multiplexed logs detection for Podman. (#​1755) Harden against Docker API path traversal.

[2.0.1] Update BookStack to 26.03.1 Full Changelog Updated queries used for pages in markdown exports. Updated handling of filenames for file serving. Updated PHP package versions. Update Instructions Update details on blog

[0.4.0] Fix env.sh

[2.10.2] Fix cli usage

The fix for this has now been released in Cal.com 6.2.0

Thanks! @girish If this problem cannot be solved with a non deterministic solution (LLM) then maybe AI/LLM is not a fit (assuming it is used here?)

Hello @luckow This is not documented very well. Had to look into the Castopod code to find the URL path to the API. https://github.com/ad-aures/castopod/blob/bc041702dd8058ae8e1831b9609827c911a5a626/modules/Api/Rest/V1/Config/RestApi.php#L35 public string $gateway = 'api/rest/v1/'; So the full URL would be https://castopod.cloudron.dev/api/rest/v1/podcasts curl https://castopod.cloudron.dev/api/rest/v1/podcasts [] After creating one: curl https://castopod.cloudron.dev/api/rest/v1/podcasts [{"id":1,"guid":"2bdee7b8-8131-5888-b4da-713d7b3a124a","actor_id":1,"handle":"demopadcast","title":"Demo Podcast","description_markdown":"DESC","description_html":"<p>DESC</p>\n","cover_id":3,"banner_id":null,"language_code":"en","category_id":1,"parental_advisory":null,"owner_name":"james","owner_email":"james@cloudron.example","is_owner_email_removed_from_feed":true,"publisher":"","type":"episodic","medium":"podcast","copyright":"","episode_description_footer_markdown":null,"episode_description_footer_html":null,"is_blocked":false,"is_completed":false,"is_locked":true,"imported_feed_url":null,"new_feed_url":null,"payment_pointer":null,"location_name":null,"location_geo":null,"location_osm":null,"verify_txt":"","custom_rss":null,"is_published_on_hubs":false,"partner_id":null,"partner_link_url":null,"partner_image_url":null,"is_premium_by_default":false,"created_by":1,"updated_by":1,"published_at":null,"created_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"updated_at":{"date":"2026-03-03 11:06:44.000000","timezone_type":3,"timezone":"UTC"},"feed_url":"https://castopod.cloudron.dev/@demopadcast/feed.xml","actor_display_name":"Demo Podcast","cover_url":"https://castopod.cloudron.dev/media/podcasts/demopadcast/cover.jpg","categories":[{"id":1,"parent_id":null,"code":"arts","apple_category":"Arts","google_category":"Arts","translated":"Arts"}]}]

[1.29.6] Update changedetection.io to 0.54.7 Full Changelog XPath json-doc() Arbitrary File Read Bypass ( Similar fix as CVE-2026-29039 ) CVE-2026-33981 - Environment Variable Disclosure via jq env Builtin in Include Filters UI - Text tidyup by @​dgtlmoon in #​3989 Realtime - Suppress socket.io errors in logs by @​dgtlmoon in #​3991 Restock - Add previous_price to restock values #​3987 by @​dgtlmoon in #​3993 fix: correct critical errors in Spanish (es) translation by @​rasputino in #​3994 last_error should be cleared if page content was the same and there was no error by @​dgtlmoon in #​3997 fix: Czech translation strings updated by @​svetlemodry in #​4008

[1.50.1] Update chatwoot to 4.12.1 Full Changelog Fixed an issue where AI Assist returned a 404 error in the Community Edition. Fixed a regression introduced in v4.8.0 where webhook payloads for message_created and message_updated were sending channel-rendered HTML instead of the original raw message content.

[1.47.0] Update code to 25.04.9.3.1

[1.8.0] Update comentario to 3.17.0 Full Changelog Add custom moderator name feature (#​222) - 66d2bcc, 753451c, 61cc240, ff9e89f, 400f7e5, 8425ce6, 4bab9e2, c1a4ec3, 467bcc0 Add support for PostgreSQL 18 (#​224) - 84c93da Backend: fix resource leak in DecompressGzip() - 58cfbe7 Backend: fix Postgres restart loop with a non-public schema (#​225, !24) - 9137e53, 4476b1b I18n: add Portuguese messages (pt) by @​pt.cesar.monteiro - bbc7303 I18n: add Ukrainian translation (uk) by @​kleindberg - 3e7ca17 Go 1.26, update dependencies, modernise code - 33d3044, a4232a7, 4605e5c, cab77fb, 3b97e19, 58a1146, 53e905a, 8464344, 1e193e3, 0c1de70, 8c7cc53 Demo website: add predefined comments to Ukrainian page (also !30) - 724a0ad Demo website: fix comment and config statements - 2a3516d, 25e7a30

@gh0stface yup, they made a release yesterday it seems and it should have the PRs we made upstream. @vladimir-d is checking the package again.

@girish Yep, exactly that. AnyType and Appflowy are growing in popularity. Would be nice to see them

[0.4.0] Update contacts to 0.4.0 Fix contact count when saving address book settings Remain in settings view when address book name changes Improve info labels

@atridad Thanks for the heads up, the app is gone from our library as well.

@archos interesting it knows how to access the old doc to make a new copy. Nice find!

@jypelle this is possible if the package is adjusted to have the config file available in /app/data and a script to restart/reload the relevant service.

yeah forgot to mention that in the changelog, given the low feedback on the webdav integration, I didn't expect it to be used much at all. So the previous version had a longstanding bug essentially where only the user's home was exposed via webdav but not group folders nor shared items. This was the fix to introduce new toplevel items: [image: 1773397779254-517ea14b-e37d-4e61-8cbf-cc5bde739b4b-image.jpeg]

[1.9.0] Update dawarich to 1.4.0 Full Changelog Family page now contains a map with family members markers on it. Visits page now have "Confirm all" and "Decline all" buttons to quickly confirm or decline all visit suggestions at once. Updated look and feel The point counting was changed to be more efficient on bigger accounts. Redesigned raw data archival system for large instances (10M+ points). Archival now runs per-user via Sidekiq jobs instead of a single sequential process, uses PK cursor-based queries instead of full table scans, and processes in 50K-point chunks with 5K-batch flag updates to minimize DB lock contention. Inline verification removed in favor of daily spot-checks. FK constraint changed from ON DELETE nullify to ON DELETE RESTRICT to prevent cascading updates on large tables. Fix Lite plan archival warnings sending all three notifications (11-month, 11.5-month, and 12-month) simultaneously when a user's oldest data already exceeds all thresholds. Now only the most severe warning is sent, and lower thresholds are marked as already notified. Fix intermittent 502/504 errors caused by User.reset_counters(:points) running synchronously during OwnTracks, Overland, and API point creation. The full COUNT(*) query blocked web workers for 60500+ seconds on large accounts, starving all other requests. Counter reset now runs as a background job. Misconfigured Prometheus settings will no longer litter logs with error messages, it will make multiple attempts to connect instead and then stop. One of previous versions removed a database index making points upload very slow. The index is now added back to fix the issue.

[2.17.0] Update directus to 11.17.0 Full Changelog Added support for importing data in the background (#​26914) Imports now automatically time out after 1 hour, with a maximum of 20 running concurrently. These limits can be configured via IMPORT_TIMEOUT and IMPORT_MAX_CONCURRENCY, respectively. Improved build times using tsdowns oxc-transform (#​26604) Exports previously available from @directus/types/collab are now exported directly from @directus/types Shrunk app UI to 90% and converted all px to rem (16px browser default) (#​26826) Potential breaking change: The app UI has been shrunk to 90% of its previous size. Extensions that rely on hardcoded px values or the old 14px root font-size may render incorrectly all app sizing now uses rem based on the 16px browser default.

[2.12.0] Update discourse to 2026.2.1

Out of ideas, since I can't reproduce this anywhere. You can contact me on support@ if you want me to debug on the server.

Updated and confirm that it is working, thank you!

[1.19.0] Update documenso to 2.8.0 Full Changelog fix: upgrade @​libpdf/core by @​Mythie in #​2569 fix: upgrade @​libpdf/core by @​Mythie in #​2572 feat: add pdf image renderer by @​dguyen in #​2554 fix(i18n): mark dropdown and radio placeholder for translation by @​mKoonrad in #​2537 fix: show current month data and add caching by @​ephraimduncan in #​2573 feat: add embedded envelopes by @​dguyen in #​2564 fix: performance improvements by @​dguyen in #​2581 feat: implement template search functionality by @​catalinpit in #​2376 feat: auto-disable telemetry when license key is configured by @​ephraimduncan in #​2562 fix: make signing page left-hand sidebar collapsible by @​catalinpit in #​2541

[1.12.0] Update community to 5.14.0 Full Changelog Added Spanish language support

[1.14.0] Update docuseal to 2.4.0 Full Changelog Remove emails from the signature reason Dynamic documents - convert DOCX files to dynamic documents with dynamic content [[variables]] editable directly in the template builder

[1.26.0] Update dokuwiki-plugin-oauth to 2025-10-23

Fixed by setting my own cron job https://forum.cloudron.io/topic/14965/which-user-for-cron-task/4?_=1773687776018

[1.7.1] Update easyappointments to 1.5.2 Full Changelog Fix the GTag script URL html rendering (#​1666) Fix the "Load More" JS error in secretaries page (#​1677) Fix the PHP compatibility error of the appointments index API endpoint (#​1678) Catch individual email delivery exceptions (#​1670) Apply permission checks to the appointment and unavailability search (#​1753) Make sure the sync button is visible on provider log in (#​1749) Update unavailable dates after applying appointment data while rescheduling (#​1662) Make sure that any-provider does not include hidden providers while generating availability (#​1733) Provide "text" version of the emails in addition to HTML (#​1711) Trigger webhook requests when managing records via the API (#​1676)

[1.18.2] Update Emby.Releases to 4.9.3.0 Full Changelog Add user option to set user's auto remote quality Add library option to use legacy folder scanning method Music transcoding fixes Add landing tab option for book libraries Support volume control with youtube trailer player Update mixed content tabs to combine Movies & Shows Fix maintenance mode blocking some settings screens Fix embedded audio fields not getting rescanned on file changes Fix loss of genre and collection images after deleting a movie Fix latest section not showing items for some channel plugins

[2.20.3] Update espocrm to 9.3.3 Full Changelog Currency rates in database not updated until rebuild #​3605

Got it. Thank you.

[1.19.2] Update evcc to 0.303.2 Full Changelog ce9ea23 Add IoTaWatt meter (#​28331) a70a140 EpexPredictor: add hourly averaging (#​28343) 3261ad2 Easee: fix stale power/current readings when charger goes offline (#​28362) 99902ef Issue UI: fix api warning (#​28386) 708b1c8 Octopus: fix tariff rates to planning window (#​28313) 1d5cdca OpenEVSE: fix http 404 d2a8813 Optimizer: fix result timestamps 1f9845b Plan UI: Fix inaccurate day formatting for negative TZs (#​28433) 452a130 fix/refactor: modbus form (#​28226) 76b453c fix: restore iOS 12 support (#​28436)

[2.0.0] Update fider to 0.33.0 Full Changelog Please note new license changes Open Core Licensing: Some features (content moderation, search indexing) are now gated as pro features, with a new commercial licensing system using separate private/public key environment variables. Content Moderation (Pro): Admins can now moderate posts and comments before they go public, trust or block individual users, and manage pending content from a dedicated admin page. Content moderation is available as a pro feature. Revamped UI: The home page and post detail view have been refreshed with a cleaner design, better dark mode support, improved mobile layouts, and post details now open in a modal without a full page reload. Security: Sign-in email links now use a strong 64-character key (manual entry still uses a 6-digit code for convenience). Fixed search with hyphenated words Option to keep failing webhooks enabled rather than auto-disabling them Fixed issue adding links via the toolbar button Fixed filter/sort state persisting when navigating back from a post Fixed vote listing issues Post tags now update live in the listing without a page reload

[1.15.0] Update filepizza to 60704b4

[1.1.1] Update fmd-server to 0.14.1 Full Changelog Initial translation support, by @​warioishere (#​64) Translate web interface in many languages (thank you translators!) Fix hosting in sub-directory (#​132) Graceful shutdown when SIGINT or SIGTERM is received (#​139)

[3.11.8] Update firefly-iii to 6.5.9 Full Changelog Issue 12004 (Test notification buttons always generate an error) reported by @​IDevJoe Issue 12014 (Converting a transaction to a transfer and setting the destination account to one with a different currency breaks the audit log) reported by @​avee87

[2.8.4] Update formbricks to 4.8.4 Full Changelog fix: [Backport]backports segment isNotIn fix by @​pandeymangg in #​7567 fix: [Backport]backports indirect segment activity by @​pandeymangg in #​7569

Is cloudron@ the admin or default user?

@girish apologies, I jumped the gun on that last post. You were right. I had a look at the box source code (src/scheduler.js, src/docker.js) and the manifest command IS respected by the scheduler. The php artisan schedule:run on my instance came from a custom crontab entry carried over when we migrated from a standalone install to Cloudron over 2 years ago. That entry must have slipped through unnoticed, but it explains everything. After removing it, the scheduler container (now suffixed -housekeeping instead of -crontab.0) correctly runs cron.sh: $ docker inspect --format '{{.Config.Cmd}}' 1af144bb-fbf4-434d-8edd-bb4b95c00ef5-housekeeping Cmd: [/bin/sh -c /app/pkg/cron.sh] Things are working correctly with cron.sh + gosu now I should have caught this sooner. In my defense (barely), the Cron tab of the app doesn't mention that commands run as root. I eventually found it in the documentation at the bottom of the Cron page. A small note in the Cron tab itself would probably help others avoid the same mistake. Cheers, JD

@joseph Ok, I’ll take a better look of system because it seems strange

@joseph As I understood it, not even that. MEDIA_ROOT is where all media uploaded gets stored. MUSIC_DIRECTORY_PATH is like an import folder where you can manually upload files that then get imported. But I am not 100 % certain, it is still confusing for me.

[4.156.0] Hide Alternative Service header

There is a discussion here, but I don't understand it - https://github.com/go-gitea/gitea/issues/22066

Yes, it's only jekyll. Not an expert on next.js but I think it also needs a backend right ? If so, you have to create a custom package - https://docs.cloudron.io/packaging/tutorial/

Perfect, thanks a lot!

[1.0.1] Update glpi to 11.0.6 Full Changelog Security fixes

[1.23.1] Update gogs to 0.14.2 Full Changelog Security: Cross-repository LFS object overwrite via missing content hash verification. #​8166 - GHSA-gmf8-978x-2fg2 Security: Stored XSS via data URI in issue comments. #​8174 - GHSA-xrcr-gmf5-2r8j Security: Release tag option injection in release deletion. #​8175 - GHSA-v9vm-r24h-6rqm Security: Stored XSS in branch and wiki views through author and committer names. #​8176 - GHSA-vgvf-m4fw-938j Security: DOM-based XSS via issue meta selection on the issue page. #​8178 - GHSA-vgjm-2cpf-4g7c Unable to update files via web editor and API. #​8184

[2.4.2] Update grafana to 12.4.2 Full Changelog Analytics tab: Improve voice over accessibility (Enterprise) Dashboards a11y: Do not open time zonemenu on focus #​120388, @​idastambuk Dashboards: Resolve display names by identity in version history #​120273, @​ivanortegaalba Plugins: Forward AWS SDK credential chain env vars to external AWS plugins #​120209, @​kevinwcyu Public Dashboards: Prevent unintended CRUD operations from different orgs #​120457, @​mmandrus IAM: Handle NULL team_member.external column to fix dashboard loading #​120179, @​difro Plugins: Fix installer IsDisabled condition #​120568, @​andresmgot Plugins: Forward PLUGIN_UNIX_SOCKET_DIR to plugin processes to fix tmp dir in restricted environments #​120275, @​HarshadaGawas05 Security: Fixes CVE-2026-27876 Security: Fixes CVE-2026-27877

IMPORTANT Packages starting 1.8.6 to 1.9.0 have been revoked. 1.8.6 - 1.8.13 - Upstream has removed all 1.7.50.x packages. See https://discourse.getgrav.org/t/upgrade-to-grav-v1-7-50-9-not-working/29222/4 1.9.0 - had incorrect beta version update

[1.10.0] Update greenlight to 3.8.0 Full Changelog Contains multiple security fixes that will not be be made public before April 3, 2026 Display protected recording formats only if a recording is protectable (#​6196) Multiple gem + package updates Add optional Accessibility Statement Link (#​6184) Allow Admins to send password reset emails for local users (#​6197) Add RTL support (#​6187) Add disableFormControls functionality to JoinCard (#​6217) Language Updates

[0.5.1] Update grist-core to 1.7.11 Full Changelog Optional authentication using getgrist.com accounts Import from Airtable New environment variables have been added to provide better control over which users are able to access your Grist instance. GRIST_PERSONAL_ORGS will disable personal organizations, while GRIST_ORG_CREATION_ANYONE will prevent any non-admins from creating new organizations. Configurable email notifications for suggestions Allow the maximum options limit on Forms to be configured (defaults to 30 options, configurable up to 1000) Limit GVisor to 8 process by default Display references and reference lists in a friendlier fashion Prevent conditional formatting changes from being displayed as suggestions Add a confirmation dialog when a resource is being shared publicly Hide the bell icon showing connection state when Grist is connected and functioning normally

Hello @albertbeaufrand and welcome to the Cloudron Forum This topic is a duplication of https://forum.cloudron.io/post/97415 and will be merged into it. Please read the responses above to get the full answer to your question.

[1.11.0] Update base image to 5.0.0

[1.21.4] Update hedgedoc to 1.10.7 Full Changelog Random colors for user's cursors and selections are now always in hex format to avoid conversion errors Correctly close realtime connections if they disconnect during connection creation manage_users CLI does not silently drop errors

[1.17.3] Update core to 2026.3.3 Full Changelog Fix Tibber update token ([@​Danielhiversen] - [#​164295]) ([tibber docs]) Add correct speed fan mapping for Z-Wave GE/Jasco Enbrighten ZWA4013 ([@​martinecker] - [#​164500]) ([zwave_js docs][zwave_js docs]) Improve ProxmoxVE permissions validation ([@​CoMPaTech] - [#​164770]) ([proxmoxve docs]) Start orphaned entries in normal mode only ([@​erwindouna] - [#​164815]) Skip unmapped and watchdog event types in Hikvision NVR event injection ([@​ptarjan] - [#​165009]) ([hikvision docs]) Snapcast: Fix incorrect identifier extraction in async_join_players ([@​mill1000] - [#​165020]) ([snapcast docs]) Hive: Fix bug in config flow for authentication and device registration ([@​KJonline] - [#​165061]) ([hive docs]) LG Soundbar: Fix incorrect state and outdated track information ([@​alexmerkel] - [#​165148]) ([lg_soundbar docs][lg_soundbar docs]) Fix optional static values in bsblan ([@​liudger] - [#​165488]) ([bsblan docs]) Fix SmartLithium 8-cell support in victron_ble ([@​rajlaud] - [#​165496]) ([victron_ble docs][victron_ble docs])

[1.9.1] Update humhub to 1.18.1 Full Changelog Fix #​8003: Migration::foreignIndexExists() doesn't find tables in braces Fix #​8002: Comment dropdowns truncated (e.g. to select a title) Fix #​8007: Fix unsaved changes warning on Profile Edit page Fix #​8008: Space Tour Wrong Target for "Preferences" menu Fix #​8013: Fix error displaying on update a module Fix #​8009: Administration Group label misplaced Fix #​8012: Modal backdrop over the account deletion modal for new Users Enh #​8017: Exclude vendor from module i18n extract Fix #​8020: Some email notifications are missing auto-contrast for the button text color Fix #​8027: Cannot register if showRegistrationForm is disabled

[1.98.1] Update immich to 2.6.2 Full Changelog Fixed a bug where the shared link would error out when public users upload to the shared link Fixed a bug where the URL switching feature doesn't work with external URLs Fixed a bug where the "add to album" selection box on the web doesn't include albums that are shared with the user Fixed several issues regarding the search filter on the mobile app and the web fix(mobile): simplified chinese not available by @​YarosMallorca in #​27066 fix(web): allow showing combobox items outside modals by @​michelheusschen in #​27075 fix(web): preserve album scroll when adding to other albums by @​michelheusschen in #​27078 fix(server): queue version check job when config changed by @​uhthomas in #​27094 fix: shared link add to album by @​jrasm91 in #​27063 fix: svelte reactivity issues by @​danieldietzler in #​27109

[1.19.0] Rename to Ip2location due to trademark collision

@jdaviescoates Thanks - Not the I have not though about this, but, at last, this could only be a temporary solution following our infrastructure setup. It also does not solve the underlying OIDC issue, which I very much find intriguing.

[1.12.2] Update companion

[1.22.6] Update invoiceninja to 5.13.8 Full Changelog Refactor for PEPPOL to support CTC countries Fixes for invoice invitation race condition Fixes for client contact observer Remove redundant illuminate $request methods Fixes for multiple areas of the auth stack for route model binding Purify additional areas of client portal

[1.13.3] Update jellyfin-plugin-sso to 4.0.0.4 Full Changelog Add Pocket ID config steps by @​mhlas7 in #​312 fix: invalidate state immediately after auth by @​jon4hz in #​343 Add kanidm config steps by @​Joker9944 in #​347 Update README dead link, add warning for permission overwritten by @​ForsakenRei in #​318 Bugfix: Prevent KeyNotFoundExceptions in OidPost by @​mandos21 in #​349

App discontinued due to no upstream updates.

[1.12.1] Update Jirafeau to 4.7.1 Full Changelog Fixed another possibility to bypass the checks for CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066 (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image". When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled. The default value of max_upload_chunk_size_bytes was set to 5000000. Higher values could trigger a bug Chromium-based browsers on servers with HTTP/3 enabled, causing asynchronous uploads to fail.

Hello everyone, Is there any hope that Jitsi Meet will return as an app for Cloudron? Many thanks!

Stupid question but when using this does a copy of a user's joplin nots remain on the server or do notes just pass through? My understanding is that webdav files can grow pretty big

[1.58.4] Fixup doc URL

[1.17.5] Update kanboard to 1.2.49 Full Changelog fix(ldap): ensure LDAP placeholders are escaped fix: restore Ctrl+Enter submission on the task creation form feat(locale): update translations feat: prevent protocol-relative URL redirects after login feat: block private network access for external web link (configurable) feat: add TRUSTED_PROXY_NETWORKS config option

[1.9.1] Add optional OpenID integration for new installations

[1.5.6] Update keycloak to 26.5.6 Full Changelog CVE-2026-1180 - Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri oidc CVE-2026-1035 - Keycloak Refresh Token Reuse Bypass via TOCTOU Race Condition oidc CVE-2025-14777 - Keycloak IDOR in realm client creating/deleting CVE-2025-14082 keycloak-server: Keycloak Admin REST API: Improper Access Control leads to sensitive role metadata information disclosure CVE-2026-3121 - Keycloak: Privilege escalation via manage-clients permission CVE-2026-3190 - Information Disclosure via improper role enforcement in UMA 2.0 Protection API core CVE-2026-3911 Keycloak: Information disclosure of disabled user attributes via administrative endpoint user-profile CVE-2026-2366 Authorization Bypass: Unprivileged tokens can enumerate user organization memberships organizations Federated user disabled when external DB unavailable, never re-enabled storage AUTH_SESSION_ID cookie reuse causes cross-user session contamination on re-authentication authentication

Hello @ikalou and @andreasdueren This is a known issue. I have merged your new topic into this existing one. Scroll up to find the solution and description of this issue.

[2.44.0] Update kimai to 2.50.0 Full Changelog Removed support for file:// urls in Markdown (new parsedown package) (#​5835) Fix missing macro in export print template (when rendering user preferences) (#​5835) Fix timesheets with breaks did not work in "weekly hours" screen (#​5835) Allow to customise statistic queries (#​5827)

[1.34.1] Update koel to 8.3.1 Full Changelog fix: artist deleted if album artist is provided (closes #​2183) by @​phanan in #​2193 fix: do not use model factories for doctor command by @​phanan in #​2195

Running TURN server on port 443 only matters for setups where a Client is unable to contact the server on non-port 443. This is only common in some ultra locked down intranet setups.

[1.6.2] Update komga to 1.24.2 Full Changelog remove anonymous /tmp volume (45f39b0), closes #​2191 fallback on epub2 toc if epub3 is present but invalid (4ce8f27) epub extension could get lost during book restoration (90d3a1d)

[2.4.1] Set supportsDisplayName to false in manifest

@nebulon I think because of storage problem, but it's already fixed. Thank you Nebulon and Robi.

[1.36.0] Update languagetool to ef691bf

[1.12.2] Update leantime to 3.7.3 Full Changelog fix: backend bug fixes from phase-0 modernization branch by @​marcelfolaron in #​3289 feat(tokens): add design system CSS custom property definitions by @​marcelfolaron in #​3290 fix: accessibility, view system, and composer improvements from phase-0 by @​marcelfolaron in #​3292 fix: ticket PATCH 500 errors, quick-add group context, and UI fixes by @​marcelfolaron in #​3313 fix: address 6 GitHub issues - session, calendar, postgres, todos, users, ldap by @​marcelfolaron in #​3315 fix: PostgreSQL ROUND(double precision, int) error on ticket queries (#​3301) by @​marcelfolaron in #​3317 fix: PostgreSQL ROUND error, missing zp_canvas.color migration, and 3.7.2 changelog by @​marcelfolaron in #​3318

[1.1.6] Update rag_api to 0.7.3 Full Changelog fix: add missing averaged_perceptron_tagger_eng NLTK package by @​MieszkoMakuch in #​265 fix: add missing msoffcrypto-tool package for xlsx file support by @​ABHIJITH-EA in #​264 fix: Resolve MongoDB Atlas Document Upload Failures and Cross-Batch ID Collisions by @​mfish911 in #​266

[1.55.11] Update LimeSurvey to 6.16.13+260316 Full Changelog

Thank you @necrevistonnezr ... it wasn't obvious to find, for me. I have one now.

[1.21.0] Update linkwarden to 2.14.0 Full Changelog Improved team collaboration Improved tag browsing with pagination Faster interface with optimistic rendering Platform upgrades: Next.js 15 and Expo 54 Improved user experience Security improvements for submitted links

[1.15.0] Update listmonk to 6.0.0 Full Changelog TOTP two-factor authentication. E-mail based Forgot password reset flow. Ability to archive lists. Subscriber activity in the Subscriber profile UI. Ability to send transactional mails to non-subscribers via the /api/tx API. Campaign-level JSON JSON {} attributes just like subscriber attributes. Granular override on subscriptions / subscriber profile in bulk import. In-built Postgres VACUUM cron in Maintenance settings for large databases. Add attribs to campaign docs. Upgrade altcha JS to latest version.

[1.17.10] Update loomio to 3.0.21 Full Changelog Changes to the Discussion and Poll templates UI. I've had people tell me they couldn't find how to create a template. Now there is a New template button, which opens the example templates page, you can use an example as the starting point for a new template. Fewer discussion templates in a group by default. Updates to the Sense Check poll options, so they're more helpful. Materialize default discussion templates as DB records by @​robguthrie in #​12182 Discussion template UI improvements by @​robguthrie in #​12181 Add opening_at to polls for scheduled voting by @​robguthrie in #​12174 Poll template updates by @​robguthrie in #​12184 This release also addresses a minor security issue, where a member of a group could see the names of secret subgroups they did not belong to, if they inspected the server responses of the reports controller.

[2.44.3] Update Lychee to 7.5.3 Full Changelog Composer update by @​ildyria in #​4216 Added and improved German translations by @​hyazinthh in #​4217 Fix XSS in /feed by @​ildyria in #​4218

@girish That is a super handy feature!

[1.17.7] Update mastodon to 4.5.7 Full Changelog Add --suspended-only option to tootctl emoji purge (#​37828 and #​37861 by @​ClearlyClaire and @​mjankowski) Fix emoji data not being properly cached (#​37858 by @​ChaosExAnima) Fix delete & redraft of pending posts (#​37839 by @​ClearlyClaire) Fix processing separate key documents without the ActivityStreams context (#​37826 by @​ClearlyClaire) Fix custom emojis not being purged on domain suspension (#​37808 by @​ClearlyClaire) Fix users without special permissions being able to stream disabled timelines (#​37791 by @​ClearlyClaire) Fix processing of object updates with duplicate hashtags (#​37756 by @​ClearlyClaire)

thanks, does this help reduce i/o in a meaningful way? I guess we should continue back in the other thread.

[1.11.14] Update element-web to 1.12.13 Full Changelog Upgrade Element Call for new picture-in-picture designs (#​32816). Contributed by @​robintown. Room list: add sections to shared components (#​32735). Contributed by @​florianduros. feat: Devtool for sticky events MSC4354 (#​32741). Contributed by @​BillCarsonFr. Port URL Preview components to MVVM (#​32525). Contributed by @​Half-Shot. Add support for Widget & Room Header Buttons module APIs (#​32734). Contributed by @​dbkr. Port over linkifyJS to shared-components. (#​32731). Contributed by @​Half-Shot. Redesign widget pip and move into shared component (#​32654). Contributed by @​toger5. Implement customisations & login component Module API 1.11.0 (#​32687). Contributed by @​t3chguy. Realign MessageActionBar to Figma designs (#​32722). Contributed by @​t3chguy. Implement new widget permissions module api (#​32565). Contributed by @​langleyd.

[1.26.0] Update mattermost to 11.5.1 Full Changelog Mattermost Platform Release 11.5.1 contains multiple new quality of life improvements, including CJK Database Search, AI Channel Summarization, Agents Web Search, User Authoritative Source, and Channel Auto-Translation.

RabbitMQ is of use for supporting Plane on Cloudron. It has quite high resting RAM requirements. So, LavinMQ might be even better as lighter resting requirements. https://plane.so/ Plane requires RabbitMQ (AMQP) for all async job processing. The Worker and Beat Worker services consume from RabbitMQ queues. There is no way to substitute Redis for this purpose: Plane switched from Redis/Celery to RabbitMQ explicitly. Cloudron has addons for PostgreSQL, MySQL, MongoDB, and Redis, but nothing for AMQP/RabbitMQ.

[1.36.0] Update mealie to 3.13.1 Full Changelog fix: #​6802 prevent 500 internal server error when patching recipe tags @​SimeonSouttar (#​6803) fix: Updated workflows to checkout on commit of commit-version-bump @​Choromanski (#​7217) feat: Unit standardization / conversion @​michael-genson (#​7121) feat: Add social media video import (YouTube, TikTok, Instagram) @​AurelienPautet (#​6764) feat: Recipe import progress @​michael-genson (#​7252) feat: Switch to httpx-curl-cffi for better scraping @​michael-genson (#​7254) feat: Adjust linked recipe unit and seperate when adding to shopping list @​michael-genson (#​7260)

Hey @james and @joseph. Thank you for your quick replies! I'm going to try out this technique with LAMP first and report back, and if that doesn't work than I may try creating the SMW Cloudron App.

Closed due to inactivity

[1.5.1] pin package source by hash

[3.3.1] Update metabase to 0.59.4.2 Full Changelog

[2.37.4] Update bedrock to 1.26.10.4

[1.6.12] Update v2 to 2.2.18 Full Changelog To prevent potential SSRF, Miniflux now blocks access to services hosted on private networks by default. FETCHER_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access feeds hosted on a local network. INTEGRATION_ALLOW_PRIVATE_NETWORKS=1 must now be enabled to access third-party integration services hosted on a local network. Apply entry blocking rules both before and after scraping to avoid unnecessary requests and allow matching on fetched content. Add ignore_entry_updates feed option to skip updating existing entries during scheduled polling. Add Arabic (ar_SA) translation. Add Galician (gl_ES) translation. Update Polish translation. Various performance improvements across multiple components (fetcher, parser, sanitizer, readability, URL cleaner, feed discovery, and Google Reader API). Simplify parts of the Google Reader code and reduce allocations in several hot paths.

Hello @loudlemur Thanks for the report. The minio package has been fixed to use the correct URL.

@djxx said: Restarting the app doesn't fix it anymore, so now when it crashes I change the SFU TCP/UDP port range to something else and it works when the app restarts. This issue can occur if another application is already using ports within the 40000–40100 range. To resolve it, you can either change the port range (for example, starting from 25000) [image: 1774513002629-port-conflicts-resized.png] or enable WebRTC server mode in the env (edit it via Cloudron file manager), which requires fewer ports, as described above. SFU_SERVER=true Then restart the instance.

The app package runs the cron job as outlined in https://github.com/monicahq/monica/blob/4.x/docs/installation/providers/generic.md#4-configure-cron-job Can you open a webterminal into the app and run it manually via: sudo -E -u www-data php /app/code/artisan schedule:run and see if it shows an error or sends the mails then?

[4.0.3] Update moodle to 5.1.3 Full Changelog

If your workflow takes more then 5 minutes to complete, you should increase the timeout time.

[1.27.2] Update navidrome to 0.60.3 Full Changelog 34c6f12: feat(server): add explicit status support in smart playlists (#​5031) (@​kgarner7) 408aa78: fix(scanner): log warning when metadata extraction fails (@​deluan) ed79a88: fix(scanner): pass filename hint to gotaglib's OpenStream for format detection (#​5012) (@​deluan) fd09ca1: fix(scanner): resolve data race on conf.Server access in getScanner (@​deluan) 0a47228: fix(subsonic): validate JSONP callback parameter (@​deluan) eb9ebc3: fix(ui): add missing keys in Danish translation (#​5011) (@​denisarissa) 62f9c3a: fix: linux service should restart when upgrading (#​5001) (@​mintsoft) e05a7e2: fix: prevent data race on conf.Server during cleanup in e2e tests (@​deluan) bee0305: fix: split reflex -R flags to preserve directory exclusion optimization (@​deluan)

There should be a periodic => Run cron job in your app logs . Do you see it? If not immediately, just keep the log window open for 20 mins, it will print every 5 mins.

[1.32.3] Update nocodb to 0.301.5 Full Changelog

[2.26.0] Update NodeBB to 4.10.0 Full Changelog add /world as a potential home page route (58d3aa7) add category selector to /world quick composer (2f5021e) ability to show only local posts in /world (44e65b8) #​14094, notification drawer UX improvements (6c01a5d) allow 3 profile pics (#​14092) (533ae69) category group actor outbox, #​14083 (b317cdd) improve idempotency of ap test (8ca34e7) call syncfollowcounts on unfollow as well (ebe709d) sync follow counts on local and remote follows, #​14105 (44e78e4) cold load redirect should only affect guests (cc60667)

[1.22.2] Update ntfy to 2.19.2 Full Changelog This is another small bugfix release for PostgreSQL, avoiding races between primary and read replica, as well as to further reduce primary load. Bug fixes + maintenance: Fix race condition in web push subscription causing FK constraint violation when concurrent requests hit the same endpoint Route authorization query to read-only database replica to reduce primary database load

[1.6.2] Update ollama to 0.18.2 Full Changelog Add extra check to ensure npm and git are installed before installing OpenClaw Claude Code will now be faster when run locally, due to preventing cache breakages Fix to correctly support ollama launch openclaw --model <model> Register Ollama's websearch package correctly for OpenClaw

I looked into the logs and it was the outdated Commons module. Thanks for your help and keep up the great work with cloudron!

[1.25.0] Update DocumentServer to 9.3.0 Full Changelog Implemented the ability to add hyperlinks to images, shapes, or groups Implemented all settings for texture fills for images Updated macro recording in documents, spreadsheets, and presentations Added Multiple pages view Added the Zoom to 100% and Multiple pages buttons to the View tab Changed the appearance of comments. Now a users color is used and the beginning and end of the comment are displayed Implemented the ability to select words/paragraphs by double/triple-clicking the mouse Added saving to the MD format Moved header and footer settings to a separate Header & Footer tab Added support for new functions: REGEXTEST, REGEXREPLACE, REGEXEXTRACT

[0.7.0] Update opencloud to 5.2.0 Full Changelog feat!: remove deprecations for v6.0.0 [#​2093] refactor!: floating UI [#​1998] refactor!: port vue-portal to teleport or extension system [#​2015] refactor!: mobile nav to web-pkg [#​2007] feat: use proper size-5 class for medium sized icons [#​2066] feat: increase topbar height [#​2070] Improve empty state icons [#​2094] feat: ease use of floating action button extension [#​2090] feat: add polished icons for no content message [#​2033] feat: add fab to admin settings and spaces overview [#​2025]

[1.8.3] Update openhab-distro to 5.1.3 Full Changelog Restore model validation not to fail on diagnostic errors for rules and scripts Fix community marketplace discourse parsing Align x-axis and query to daysOfMonth for aggregated series zwave: Fix zwave network map display in 5.1.x item-state-preview: Fix toggle switch not being fully re-rendered on Item change useStatesStore: Fix error in expression tester with =items formula

[3.46.2] Update openproject to 17.1.2 Full Changelog Bugfix: Error when creating a new work package after uploading an attachment to the previous one that was opened in details view [#​67980] Bugfix: Pasting rich text into CKEditor crashes it [#​69597] Bugfix: external_redirect URL always engaged, making copy&pasting links harder [#​71946] Bugfix: Parent project name visible in breadcrumb irrespective of parent access [#​71972] Bugfix: Trying to attach a calendar part when no mail is being generated fails [#​72244] Bugfix: Meetings appear duplicate in the ical subscription after an interim response [#​72259] Bugfix: Can't create automatically managed project folder when project name contains forbidden Nextcloud characters [#​72525]

Hi @girish so I learned something while setting up my Radicale and OWC. It seems like the calendar client publishing in to the ICS in Radicale (or wherever your ICS source lives) can matter. When I used the Calendar app on macOS I saw no descriptions. When I used Thunderbird I do. You can see it on my live page that has the OWC page in an iframe https://kb.filewave.com/books/community-engagement/page/customer-event-schedule and if you click on events in the agenda then the description shows. I think initially I was also hoping to show description on the Agenda page without clicking on an event but originally I was bothered that I just couldn't get description to show up. So now it does at least show up when you click an event. I haven't looked at why Calendar doesn't make a summary that shows and Thunderbird does but I'm fine using Thunderbird to put events in my calendar feed.

[3.2.10] Update open-webui to 0.8.11 Full Changelog Responses API streaming improvements. The OpenAI proxy now properly handles tool call streaming and re-invocations in the Responses API, preventing duplicate tool calls and preserving output during model re-invocations. Commit, Commit, Commit, Commit Responses API stateful sessions. Administrators can now enable experimental stateful session support via the ENABLE_RESPONSES_API_STATEFUL environment variable, allowing compatible backends to store responses server-side with previous_response_id anchoring for improved multi-turn conversations. Commit File viewing pagination. The view_file and view_knowledge_file tools now support pagination with offset and max_chars parameters, allowing models to read large files in chunks. Commit Knowledge search scoping. The search_knowledge_files tool now respects model-attached knowledge, searching only within attached knowledge bases and files when available. Commit Tool HTML embed context. Tools can now return custom context alongside HTML embeds by using a tuple format, providing the LLM with actionable information instead of a generic message. #​22691 Trusted role header configuration. Administrators can now configure the WEBUI_AUTH_TRUSTED_ROLE_HEADER environment variable to set user roles (admin, user, or pending) via a trusted header from their identity provider or reverse proxy. #​22523 OIDC authorization parameter injection. Administrators can now inject extra parameters into the OIDC authorization redirect URL via the OAUTH_AUTHORIZE_PARAMS environment variable, enabling IdP pre-selection for brokers like CILogon and Keycloak. #​22863, Commit Google OAuth session persistence. Administrators can now configure Google OAuth to issue refresh tokens via the GOOGLE_OAUTH_AUTHORIZE_PARAMS environment variable, preventing OAuth sessions from expiring after one hour and ensuring tools and integrations that rely on OAuth tokens remain functional. #​22652 Embed prompt confirmation. Interactive tool embeds can now submit prompts to the chat without requiring same-origin access, showing a confirmation dialog for cross-origin requests to prevent abuse. #​22908 Tool binary response handling. Tool servers can now return binary data such as images, which are properly processed and displayed in chat for both multimodal and non-multimodal models. Commit, Commit

[1.1.2] Update opodsync to 0.5.2 Full Changelog Fix: error when addin a new subscription (GH-86)

[2.4.2] Fixup doc URL

[1.21.1] Update outline to 1.6.1 Full Changelog A bug affecting file and image upload in the editor was fixed in #​11803 MCP: Now has tools to move documents within a collection in #​11799 MCP: Now supports API key header authentication in #​11798 Added Tahoe-compatible icon variants for PWA in #​11762 Fixed a race condition when editing title while doc is saving would reset the title in #​11764 Added support for the new GitLab work_items URL structure in #​11795 Print layout now respects full-width option by @​wmTJc9IK0Q in #​11768 Fixed a page hang with corrupted PNG upload in #​11783 Improved validation of SMTP_FROM_EMAIL and SMTP_REPLY_EMAIL in #​11784 Custom port is now preserved in OAuth metadata URLs when self-hosted behind a reverse proxy in #​11791

[1.6.1] Update owncast to 0.2.4 Full Changelog Lots of localization changes, both in how they work across the web application, and adding more support for them. So more places should show more languages. The backend refactor continues with more splitting things off into standalone data repositories and services. Higher bitrates can now be selected in the video encoding settings. There's a new webhook that fires when you get a new Fediverse follower. Admin: add line divider in sidebar #4098 Display shortcut keys of hide/show chat in Dropdown menu #4096 Create a custom Translation component #4428 Add support for pluralization in the new Translation component #4440 Add support for translations in the web project #3950 Add server status as a default field in all webhooks #4384

[1.3.0] Update base image to 5.0.0

[1.48.4] Update paperless-ngx to 2.20.12 Full Changelog Fix: Scope the workflow saves to prevent clobbering filename/archive_filename @​stumpylog (#​12390) Fix: don't try to usermod/groupmod when non-root + update docs (#<!---->12365) @​stumpylog (#​12391) Fix: avoid moving files if already moved @​shamoon (#​12389) Fix: remove pagination from document notes api spec @​shamoon (#​12388) Fix: fix file button hover color in dark mode @​shamoon (#​12367) Fixhancement: only offer basic auth for appropriate requests @​shamoon (#​12362) Fix: Scope the workflow saves to prevent clobbering filename/archive_filename @​stumpylog (#​12390) Fix: avoid moving files if already moved @​shamoon (#​12389) Fix: remove pagination from document notes api spec @​shamoon (#​12388) Fix: fix file button hover color in dark mode @​shamoon (#​12367)

You can still install it like this https://my.<cloudron>/#/appstore/rocks.paperwork.cloudronapp . But note that it was last updated 3 years ago. I tried to build a new version with latest with PHP a year ago and the app was not even building anymore. They have been re-writing a new version for a couple of years now.

Just to be clear: In the current version, video thumbnails are not created automatically after an upload, other than before. gosu cloudron:cloudron npm run regenerate-thumbnails needs to be run manually. Is this still an error in the Cloudron package or the App itself?

[1.16.0] Update penpot to 2.14.0 Full Changelog Deprecate PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE in favour of PENPOT_HTTP_SERVER_MAX_BODY_SIZE. Access to design tokens in Penpot Plugins Taiga #​8990 Remap references when renaming tokens Taiga #​10202 Tokens panel nested path view Taiga #​9966 Improve usability of lock and hide buttons in the layer panel. Taiga #​12916 Optimize sidebar performance for deeply nested shapes Taiga #​13017 Remove tokens path node and bulk remove tokens Taiga #​13007 Replace themes management modal radio buttons for switches Taiga #​9215 Remove whitespaces from asset export filename Github #​8133 Fix prototype connections lost when switching between variants Taiga #​12812

App discontinued due to no upstream updates.

The upstream project has not released in almost 3 years now. We had to build from develop to get some PHP 8 support going, but there are bugs like https://github.com/phpservermon/phpservermon/issues/1196 , https://github.com/phpservermon/phpservermon/issues/1232 . There's also a bunch of basic issues: Normal user cannot login after admin user logs in. Some issue related to service worker. LDAP functionality is incomplete

[3.3.0] Update Piwigo to 16.3.0 Full Changelog Release note

Oh well, I thought the email issue would be fixed by the latest update, but unfortunately the problem still persists.

[1.14.8] Update pocketbase to 0.36.7 Full Changelog Fixed high memory usage with large file uploads (#​7572). Updated the rate limiter reset rules to follow a more traditional fixed window strategy (aka. to be more close to how it is presented in the UI - allow max X user requests under Ys) since several users complained that the older algorithm was not intuitive and not suitable for large intervals. Approximated sliding window strategy was also suggested as a better compromise option to help minimize traffic spikes right after reset but the additional tracking could introduce some overhead and for now it is left aside until we have more tests. Updated modernc.org/sqlite to v1.46.2 and SQLite 3.51.3. SQLite 3.51.3 fixed a database corruption bug that is very unlikely to happen (with PocketBase even more so because we queue on app level all writes and explicit transactions through a single db connection), but still it is advised to upgrade.* Updated other minor Go and npm deps. The min Go version in the go.mod of the package was also bumped to Go 1.25.0 because some of the newer dep versions require it.*

Hi, It looks like the package is gone from the cloudron supported apps, has anyone tried self-hosting it by following the official method as presented in their doc, with success? (https://docs.postiz.com/quickstart)

[1.5.0] Update pretix to 2026.2.0 Full Changelog

[1.11.3] Update PrivateBin to 2.0.3 Full Changelog FIXED: Prevent arbitrary PHP file inclusion when enabling template switching FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)

[2.10.0] Update prometheus to 3.10.0 Full Changelog [CHANGE] Alerting: Add alertmanager dimension to following metrics: prometheus_notifications_dropped_total, prometheus_notifications_queue_capacity, prometheus_notifications_queue_length. #​16355 [CHANGE] UI: Hide expanded alert annotations by default, enabling more information density on the /alerts page. #​17611 [FEATURE] AWS SD: Add MSK Role. #​17600 [FEATURE] PromQL: Add fill() / fill_left() / fill_right() binop modifiers for specifying default values for missing series. #​17644 [FEATURE] Web: Add OpenAPI 3.2 specification for the HTTP API at /api/v1/openapi.yaml. #​17825 [FEATURE] Dockerfile: Add distroless image variant using UID/GID 65532 and no VOLUME declaration. Busybox image remains default. #​17876 [FEATURE] Web: Add on-demand wall time profiling under <URL>/debug/pprof/fgprof. #​18027 [ENHANCEMENT] PromQL: Add more detail to histogram quantile monotonicity info annotations. #​15578 [ENHANCEMENT] Alerting: Independent alertmanager sendloops. #​16355 [ENHANCEMENT] TSDB: Experimental support for early compaction of stale series in the memory with configurable threshold stale_series_compaction_threshold in the config file. #​16929

[2.26.0] Update VueTorrent to 2.32.0 Full Changelog download_path for categories (#​2633) (c975533) TorrentDetail: Add default tab selection in settings (#​2623) (144f552) CookiesManager: Allow import from empty menu (3f4f571) RSS: Improve performance (c6d9ddc)

[2.12.0] chore(deps): update dependency radicale to v3.6.1

[2.7.3] Update rallly to 4.7.4 Full Changelog Fix redirect to login when accessing poll admin by @​lukevella in #​2184

App discontinued due to no upstream updates.

[5.4.0] Update redash to 26.3.0 Full Changelog

[3.11.1] Update redmine to 6.1.2 Full Changelog Defect #43661: Unsafe eval usage in AttachmentsHelper Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter) Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).

Just installed ReleaseBell to monitor the apps I am packaging. But it's not accurate Shows https://github.com/windmill-labs/windmill as v1.457.0 but the actual GitHub page shows 1.645.0 Is there some config I should be changing ? Actually, just noticed it has 2 entries for windmill ( a starred project ), the other showing 1.573.0

[3.1.0] Update Rocket.Chat to 8.2.1 Full Changelog (#​39508 by @​dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates) (#​39517 by @​dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow. This release focuses on security, stability, and usability improvements. SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports. The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability. Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain. OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path. Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @​ prefix. The release also delivers a broad set of reliability and security fixes. It resolves a persistent Enterprise plan active pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth. Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters.

Glad we got down to the issue in the end.

@girish said: @rmdes @odie I have updated the app to use symlinks under /app/data/bridges. You can add new bridges there or delete some symlink and add your own. Thank you! Works excellent!

Given that the upstream project is not maintained anymore, we have hidden this in the appstore. I had also submitted a PR upstream for a basic issue which is ignored - https://github.com/aliasaria/scrumblr/pull/161

[2.85.0] Update searxng to 6c7e9c1

[1.3.0] Update serpbear to 3.0.0 Full Changelog adds dynamic scraping to tackle num=100 block. (b976aef), closes #​310 correct typo "avaialable" "available" in AddKeywords and searchConsole (ca1b6cb resolve broken Google Ads integration due to deprecated API (893598a), closes #​239 #​181 #​311 resolve Google Search Console Forbidden errors and silent cron failure (c075fc4), closes #​232 #​180 #​180 #​232 resolves "client-side exception has occurred" error. (dc67fcf), closes #​271 resolves broken city filter for serper.dev (8a61064), closes #​285 resolves failure to detect domain with www in search results (36ed25f), closes #​272 #​281 #​323 resolves google ads Not authorized error when integrating (09b025a), closes #​190 resolves Google adwords connection issue. (be4eb47) resolves hidden tooltips for inner tabs (ea6df20)

[1.4.1] Update sftpgo to 2.7.1 Full Changelog SFTPD: Added support for OpenPubkey SSH, enabling tighter integration between OpenID Connect and SFTP. Enforced password validation rules also when applied through a group. Fixed an issue where JSON dumps containing command actions failed to load correctly at startup when loaded as initial data. Data Provider: Fixed lock handling issues during migrations that could affect MySQL when migrations are executed concurrently by multiple instances. Fixed a potential path traversal and permission bypass involving specially crafted paths. CVE-2026-30914. Fixed placeholder sanitization in group home directories and key prefixes. CVE-2026-30915. Unified path handling: Prior to this release, the backslash character (\) was treated differently depending on the host operating system: on Linux, it was considered a standard character within a file or directory name, while on Windows, it acted as a path separator. We have now unified path handling across all platforms. Moving forward, both forward slashes (/) and backslashes (\) are strictly evaluated as path separators, independently of the underlying OS.

[2.18.0] Update Shaarli to 0.16.0 Full Changelog v0.x branches and tags will no longer be maintained after v0.16. Always upgrade to the latest release to receive bugfixes and security patches. docs: update PHP version compatibility table fix stored XSS via suggested tags (GHSA-g3xq-mj52-f8pg) build(deps): update frontend build dependencies (js-yaml/glob)

@girish said in SickChill unlisted from app store: I hope they atleast bring back the issue tracker Out of interest, why does this matter for Cloudron? BTW, someone has replied to the thread I started on Discord informing me that the master releases are these https://pypi.org/project/sickchill/ Doesn't look like there has been a new one since March though.

[1.3.0] Update shiori to 1.8.0 Full Changelog feat(apiv1): refactor tags api (#1075) feat: add PWA support share functionality (#1060) feat: add apis to handle bookmark tags (#1081) feat: allow tag filtering and count retrieval via api v1 (#1079) feat: improve SQLite performance (#1024) feat: reverts message in json output and allows configuration (#1082) feat: support proxy forward headers authentication (#1105) fix: auth validation on existing sessions, rely on token only (#1069) fix: incorrectly set cookie's expires value in login.js (#1049) fix: parse pocket new CSV format (#1112

The upstream project is archived - https://github.com/boypt/simple-torrent/ . There has been no changes in 2 years and modules are not updated.

@robi Technically true. And yet the only door you need to overcome to access all your mails.

[1.19.0] Update snipe-it to 8.4.0 Full Changelog Added "reset to default" for theme, preview for effects in profile by @​snipe in #​18347 Add SCIM url to admin settings index view by @​snipe in #​18358 Fixed #​18325: Ensure existing permission group users are maintained when editing a group by @​dylang3 in #​18326 Replaced deprecated Symfony Request::get() usage by @​joelpittet in #​18363 Bump actions/upload-artifact from 5 to 6 by @​dependabot[bot] in #​18349 Bump actions/cache from 4 to 5 by @​dependabot[bot] in #​18348 Fixed #​18384: Remove backticks in bulk-actions.blade.php to avoid unintentional shell_exec() call by @​dylang3 in #​18388 Fixed #​18377 - make min for names consistent by @​snipe in #​18392 Fixed: paragonie/sodium_compat - Missing check that a point is on the prime subgroup for Edwards25519 by @​joelpittet in #​18391

[2.18.6] Update sogo to 5.12.6 Full Changelog vulnerability: new user can properly use totp (623f08)

Just checked on this again but it seems statping-ng is not going forward much . https://github.com/statping-ng/statping-ng/tags says the release was almost a year ago.

[3.9.0] Update Stirling-PDF to 2.8.0 Full Changelog Desktop no longer requires a login to use, this feature is now fully optional and only required for tools which cant run locally (And can be ran on stirling.com OR your own selfhosted indicated with a cloud icon) Improved PDF Rendering performance Comment support for both viewing and adding (To be enhanced further this week) (Uses your username automatically) reintroduced the remove image endpoint New RFC 3161 PDF timestamp tool Security patches Fixed bug for docx conversion on desktop Fixed bug fix for email invites Possible fix for users reporting text selection issues Multi-page PDF layout enhancement with a dramatic increase in customisation!

[1.12.0] chore(deps): update dependency apache-superset to v6

[6.4.7] Update surfer to 6.4.1 Update frontend and backend dependencies

[1.33.16] Update syncthing to 2.0.15 Full Changelog Database backend switched from LevelDB to SQLite. There is a migration on first launch which can be lengthy for larger setups. The new database is easier to understand and maintain and, hopefully, less buggy. The logging format has changed to use structured log entries (a message plus several key-value pairs). Additionally, we can now control the log level per package, and a new log level WARNING has been inserted between INFO and ERROR (which was previously known as WARNING...). The INFO level has become more verbose, indicating the sync actions taken by Syncthing. A new command line flag --log-level sets the default log level for all packages, and the STTRACE environment variable and GUI has been updated to set log levels per package. The --verbose and --logflags command line options have been removed and will be ignored if given. packages, and the STTRACE environment variable and GUI has been updated

[2.17.2] Update taiga-front-dist to 6.9.1

[1.11.1] Update recipes to 2.5.1 Full Changelog improved ingredient parser handling of leading special characters (like ,.-_=+#*|/) changed start page link icon to "more" text for opening search fixed ical issues #​4429 fixed recipe view performance degradation (thansk to @​poikilotherm #​4426) fixed syntax error in template breaking recipe view and editor #​4421 fixed creating food trough shopping list entry failing #​4418 fixed admins could include arbitrary local files trough local storage provider https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-6485-jr28-52xx fixed server side request forgery trough redirects/dns rebinding attacks https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-j6xg-85mh-qqf7 fixed issue with diameter scaling when base servings were not 1

[1.5.2] Fixup doc URL

@timconsidine said in Teddit Subscriptions no longer working: Just FYI - my LibReddit - selfhosted as Docker on another VPS = is still working. But now it is down. Maybe they have caught up with me.

[1.22.1] checklist added to manifest

@Sam_uk we have unlisted TLDraw by now. Please see https://forum.cloudron.io/topic/10806/no-more-updates-to-tldraw . The license and company direction has changed.

The traccar team has created a fix for this issue. https://github.com/nagyist/traccar/commit/9c31a03b374483811263626590faa2224211d670 If a new traccar release is ready we will also update the Cloudron app.

[2.7.2] Update libretranslate to 1.9.5 Full Changelog Fix version display by @​pierotofy in #​951 Prefetch MiniSBD models by @​pierotofy in #​953

[2.5.0] Update transmission to 4.1.0 Full Changelog Improved TP download performance. (#​6508) Added support for IPv6 and dual-stack UDP trackers. (#​6687) Support trackers that only support the old BEP-7 with &ipv4= and &ipv6=. (#​7481) New JSON-RPC 2.0-compliant RPC API. (#​7269) Added optional sequential downloading. (#​4795) Use native icons for menus and toolbars: SF Symbols on macOS, Segoe Fluent on Windows 11, Segoe MDL2 on Windows 10, and XDG standard icon names everywhere else. (#​7819, Qt Client) Fixed 4.0.6 bug where Transmission might spam HTTP tracker announces. (#​7086) Improved libtransmission code to use less CPU. (#​4876, #​5645, #​5715, #​5734, #​5740, #​5792, #​6103, #​6111, #​6325, #​6549, #​6589, #​6712, #​7027, #​7744, #​7800) Avoid unnecessary heap memory allocations. (#​5519, #​5520, #​5522, #​5527, #​5540, #​5649, #​5666, #​5672, #​5676, #​5720, #​5722, #​5725, #​5726, #​5768, #​5788, #​5830, #​6542) Slightly reduced latency when sending protocol messages to peers. (#​5394)

[1.27.2] Update Trilium to 0.101.3 Full Changelog SQL Console: cannot copy table data by @SiriusXT Title is not selected when creating a note via the launcher by @SiriusXT Popup editor closing after inserting a note link by @SiriusXT New Mermaid diagrams do not save content by @lzinga Can't scroll mermaid diagram code Max content width is not respected when switching between note types in the same tab Crash When a Note Includes Itself Severe Performance Degradation and Crash Issues Due to Recursive Inclusion in Included Notes is not a launcher even though it's in the launcher subtree Archived subnotes of direct children appear in grid view without #includeArchived

[2.83.0] Update tt-rss to 5cbcc14

Always good to check the logs for progress

[1.23.2] Update typebot.io to 3.15.2 Full Changelog Fix app router automatically adding transfer-encoding: chunked header to backend requests 69efa2f

[3.23.0] Add optional redis

[2.3.0] Update cloudflared to 2026.3.0

Closed due to inactivity note: mods are working, asked @BrutalBirdie he tested it briefly

[1.82.5] Fixup doc URL

[1.24.3] Update vaultwarden to 1.35.4 Full Changelog GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID. GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them. GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned. Update Rust and Crates and GHA by @​BlackDex in #​6843 hide remember 2fa token by @​stefan0xC in #​6852 fix(send_invite): invite links by @​proofofcopilot in #​6824 Misc organization fixes by @​BlackDex in #​6867

[1.74.0] Update verdaccio to 6.3.1 Full Changelog fix(deps): update core verdaccio dependencies (6.x) by @​renovate[bot] in #​5587 fix(deps): update dependency envinfo to v7.21.0 (6.x) by @​renovate[bot] in #​5590 fix(deps): update core verdaccio dependencies (6.x) by @​renovate[bot] in #​5613 fix: error checking storage directory #​5447 fix(api): remove unnecessary allow check #​5599

[1.22.1] Update vikunja to 2.2.2 Full Changelog Require admin access to list link shares (5cd5dc4) Hide link sharing section in UI for non-admin users (74d1bdd) (auth) Reject disabled/locked users in OIDC callback (auth) Reject disabled/locked users in API token middleware (auth) Return correct error type for locked users in OIDC callback (auth) Reject disabled/locked users in CheckUserCredentials (auth) Skip profile updates for disabled LDAP users (caldav) Replace href with pathname from parseURL for api base (frontend) OrigUrlToCheck references the same object as urlToCheck (openid) Merge VikunjaGroups and ExtraSettingsLinks from userinfo

Thank you, @girish, for the very quick implementation! I just upgraded and so far things appear to be working as expected. I'll test a bit more and report back with any issues I might come across... Thanks again and cheers from Germany!

[2.5.6] Update wallabag to 2.6.14 Full Changelog Change version in wallabag.yml by @nicosomb in #8251 Fix deprecation by @j0k3r in #8267 Add annotations filter to entries API endpoint by @skn in #8346 Update dependencies by @yguedidi in #8435 Bump deps (mostly for siteconfig) by @j0k3r in #8489 Fix reading time computation for short entries by @andreadecorte in #8332 Fix urls parameter when sending many urls to be stored using the API by @j0k3r in #8488 Prepare 2.6.14 by @j0k3r in #8494

[1.21.0] Update Wallos to 4.8.0 Full Changelog add openai compatible host for ai recommendations (99c30e7) enable ai recommendations at a schedule (99c30e7) move update banner to the dashboard (99c30e7) handle some ai responses that come in a different format (99c30e7)

[1.20.1] Update whitebophir to 1.22.1 Full Changelog

[1.38.1] Update weblate to 5.16.2 Full Changelog New setting <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-PUBLIC_ENGAGE" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">PUBLIC_ENGAGE</code></span></a> to make the engage page public even with <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/config.html#std-setting-REQUIRE_LOGIN" class="reference internal"><span class="pre"><code class="xref std std-setting docutils literal notranslate">REQUIRE_LOGIN</code></span></a>. Improved matching in <a href="https://docs.weblate.org/en/weblate-5.16.2/admin/memory.html" class="reference internal"><span class="doc">Translation Memory</span></a>. Show the number of strings waiting for review in listings. Avoid displaying confusing status icons for ghost languages on project or category level. Fixed missing plural source strings when creating new bilingual plural units. Crash on certain pages with nested categories. Improved API validation when adding strings. Disabled throttling for incoming webhooks. Avoid displaying non-actionable ghost languages. Fixed highlighting in the translation editor.