Cloudron Forum

[1.6.2] Update keycloak to 26.6.2 Full Changelog #47485 CVE-2026-33871 HTTP/2 CONTINUATION Frame Flood Denial of Service #47486 CVE-2026-33870 RFC violation: HTTP Request Smuggling primitive via Chunked Extension Quoted-String Parsing #47932 [CVE-2026-4628] Improper Access Control on Keycloak Server through UMA resource management endpoints via PUT parameters authorization-services #48049 [CVE-2026-37980] Stored XSS in select-organization.ftl - FreeMarker HTML-escape insufficient in inline JS handler organizations #48329 JDBC_PING in 26.6 should not fail with 26.7 schema changes #48348 Escape expressions in JS blocks in FTL pages #38526 Duplicate user attribute values cannot be removed core #47901 Realm import with --import-realm fails with ModelValidationException when Admin Permissions is enabled admin/fine-grained-permissions #48040 User session limit generates fatal error authentication #48185 Deleted workflow still attempting to run workflows

[3.12.0] Update Stirling-PDF to 2.11.0 Full Changelog Fix Task commands in Powershell by @jbrunton96 in #6330 fix: replace deprecated payload too large status by @Ludy87 in #6336 Fix desktop app overscrolling inappropriately by @jbrunton96 in #6350 Add Playwright/bootRun/test.sh tasks by @Frooodle in #6244 Fix main frontend validation by @jbrunton96 in #6361 UI redesign staging by @EthanHealy01 in #6149 Split and delete forms by @reecebrowne in #6277 add translations by @Frooodle in #6390

[2.14.2] Update discourse to 2026.4.1 Full Changelog

[1.14.15] Update AdGuardHome to 0.107.75 Full Changelog Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.26.3][go-1.26.3]. IDs of requests received over DoH and DoQ and forwarded to plain-DNS upstreams are now set to non-zero values to improve security. Frontend API requests no longer depend on axios. Dashboard charts use Recharts instead of Nivo. enable_dnssec in dns configuration now defines whether the proxy should set the DO flag in the upstream requests, the default is true ([#7046][#​7046]). Statistics database deadlock ([#8359][#​8359]). Translated labels on the DNS settings pages not updating after changing the UI language. Dashboard charts now correctly display lower query counts ([#6823][#​6823]). Redundant validation warnings about DHCP when it's disabled ([#8348][#​8348]). Safe Browsing and Parental Control labels on the General Settings page not updating after changing the UI language.

[1.134.0] Update synapse to 1.153.0 Full Changelog Make ACLs apply to EDUs per MSC4163. (#18475) Stabilize MSC3266: Room summary API, removing the experimental config flag msc3266_enabled. Contributed by @dasha-uwu. (#19720) Partial MSC4311 implementation: m.room.create is now a required part of stripped invite_state/knock_state . Contributed by @FrenchGithubUser @famedly. (#19722) Expose tombstoned and replacement_room in room details on admin API endpoint GET /_synapse/admin/v1/rooms/<room_id>. Contributed by Noah Markert. (#19737)

[1.30.2] Update changedetection.io to 0.55.4 Full Changelog UI - AI/LLM - "Summary" button should set last viewed by @skkzsh in #4095 API - watch.link was accidently a tuple, enforcing string by @dgtlmoon in #4104 API - Add restock config to API /v1/watch/ json output #4099 by @dgtlmoon in #4103 Notifications - Escape only the diff variables before Jinja2 renders them into the template ( Stop breaking custom HTML for plaintext pages on HTML notifications) #4121 by @dgtlmoon in #4123 Fixing GHSA-vwgh-2hvh-4xm5 substring match in the shared_diff_access by @dgtlmoon in #4130 LLM - Self-hosted OpenAI-compatible endpoint support (vLLM, LM Studio, llama.cpp) refs #3204 by @tekgnosis-net in #4117 Text filters - Process subtractive_selectors first by @dgtlmoon in #4142 Text filters - Ignore text should run before 'extract text' by @dgtlmoon in #4143 UI - LLM - SSRF guard for the LLM api_base setting by @dgtlmoon in #4157 API Security - Watch GET history snapshot - Should return text/plain mimetype so it cant be accidently executed in the browser by @dgtlmoon in #4158

[1.52.0] Update chatwoot to 4.14.0 Full Changelog Companies: creation, details, notes, history, labels, and activity tracking. Help Center: bulk actions, AI translation, URL embeds, and category-based article creation. Captain/AI: document sync, FAQ improvements, handoff classification, and config refresh fixes. Inbox UX: expanded chat list, bulk actions, attachments, quoted replies, and conversation IDs. Integrations: Linear issue linking, template previews, WhatsApp campaign variables, and IMAP auth options. Voice: ground work for WhatsApp/Twilio calling, inbound calls, recordings, and call join support. Security: webhook validation, SSRF hardening, safer uploads, SAML fixes, and admin auth checks. Reliability: fixes across reports, notifications, email, CSAT, CSV, portals, widgets, TikTok, and Slack.

[1.9.3] Update humhub to 1.18.3 Full Changelog Fix #8079: Hide wall entry topics container when no topics Fix #8075: Filtering by Global Topic in Dashboard Fix #8086: Fix Daylight Saving Time issue in DbDateValidator Fix #8090: Show only visible groups on the profile field "Group memberships" Enh #8095: Improve authorization checks Enh #8088: Improve people/space filters Fix #8133: Rebuild search index after file updating Fix #8144: Restrict file view action Enh #8156: Enhance behavior for vertical videos and multiple video attachments Fix #8164: Fix space members list visibility

[1.18.3] Update Emby.Releases to 4.9.5.0 Full Changelog Fix sporadic cases of wrong subtitle encoding Fix sporadic cases of subtitles not showing Fix strm files containing youtbue urls Add additional Estonian language codes Fix realtime monitor ignoring folders with a dot in the name Add new spotlight home screen section option (requires Emby Server 4.10+)

[2.28.0] Update VueTorrent to 2.34.0 Full Changelog Settings/WebUI: Add API key support for qBit 5.2.0+ (#2784) (71ff0ec) Sidebar: Add DHT node and peer connection count (#2774) (4a5c857) login: restore vertical centering after Vuetify v4 migration (#2775) (ce05f81) support shareLimitAction in per-torrent view editing (qBit 5.2.0+) (#2780) (7bb3d16)

[1.34.3] Update whitebophir to 2.8.5 Full Changelog

[2.6.0] Update joplin to 3.7.1 Full Changelog New: Add support for post-quantum cryptography (PQS) TLS (#15055 by Alex Martens) New: Add support for whiteboards (#15305) (#15193) Improved: Add settings search to config screen (#14820) (#14763 by @slimuCS) Improved: Add table editing commands (add/delete rows and columns) (#14519) (#12372 by @kanishka0411) Improved: Do not load plugin if it is disabled (#15083) Improved: Speed up app startup by skipping unnecessary plugin file processing (#15085) (#15081) Fixed: Add the ability to delete the default profile (#15153) (#14506 by @mrjo118) Fixed: Avoid OOM when printing notes with large attachment links (#15026) (#13903 by @Rygaa) Fixed: Fix silent sync failure which prevents new changes being synced, when a single server object has an updated_time in the future (#15262 by @mrjo118) Fixed: Preserve timestamps when converting HTML notes (#15275) (#15263 by @izumedonabe)

[1.37.10] Update uv to 0.11.15

[3.12.1] Update metabase to 0.61.1.5 Full Changelog