Cloudron Forum

[4.111.0] Update wekan to 9.64 Full Changelog Fixed ChecklistBleed: any authenticated user can write checklist data into a private board they are not a member of (cross-board write via collection allow rule) Fixed ProxyBleed: Header-login IP allowlist bypass via X-Forwarded-For spoofing allows unauthenticated full account takeover (incl. admin) Fixed TokenBleed: unauthenticated login-token minting via un-awaited auth check in POST /api/createtoken/:userId Fixed BoardBleed: Broken access control lets any authenticated user move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule) Added card dependency "Red Strings" / PI program board Greatly expanded board automation Rules Added Jira import Full right-to-left (RTL) UI for every page when an RTL language is selected Greatly improved import from Trello to WeKan Fixed SyncedCron crash

[3.14.1] Update Stirling-PDF to 2.13.1 Full Changelog feat(i18n): sync editor translations with pluralization support and new UI strings by @Ludy87 in #6565 Fix more any typing usage in the frontend by @jbrunton96 in #6664 Fix bad frontend architecture by @jbrunton96 in #6730 Fix Multi Tool page rotation lost on save by @Frooodle in #6733 Add desktop mobile-upload page and fix LAN QR URL by @Frooodle in #6736 Add metrics for numerical count of total PDFs by @Frooodle in #6737 Add message when running task with no arguments by @jbrunton96 in #6731

[4.30.2] Update n8n to 2.26.8 Full Changelog Form Trigger Node: Add default value for authentication parameter to prevent crash on old workflows (#32629) (174da99) Compression Node: Decompress only the archive members (#32517) (b17a293)

[2.38.1] Update bedrock to 1.26.31.1

[3.16.3] Update metabase to 0.62.2.6

[1.37.18] Update uv to 0.11.23 Full Changelog Revert "Fix transparent Python upgrades in project environments" to mitigate unintended breakage in pre-commit-uv (#19925) Restore old behavior where workspace members "hidden" by an intermediate pyproject.toml would be treated as standalone projects (#19926)

[1.25.2] Update evcc to 0.309.2 Full Changelog enphase: fix battery_type parameter (BC) (#30860) Charger (go-e): add missing product variants (#30915) Kostal Plenticore: add holdcharge battery mode (#30853) Modbus: add shared block reading (#30846) RCT: add maxacpower (#30936) Smart-hello: add Smart #5 support (#31024) Vehicle: add autodetectdisabled feature (#30941) Energyflow: fix invisible expand icon in dark mode (#31026) Fix minimum marker for zero forecast values (#30892) Kostal Plenticore: fix pv energy encoding (#30862)

[1.5.22] Update mirotalkbro to 1.3.38

[0.8.1] Update calendar to 0.8.1 Improve public booking page Various dark mode and mobile fixes

[4.177.0] Update ghost to 6.46.0 Full Changelog Added long-press to open the posts list context menu on touch devices (#28602) - Steve Larson Fixed disabling structured data for LLMs and AI search engines (#28742) - Hannah Wolfe Fixed expired complimentary members not triggering webhooks (#28444) - Steve Larson Fixed newsletter feedback buttons breaking after a slug change (#28604) - Steve Larson Fixed paid checkout returning to homepage instead of originating page (#28485) - Steve Larson Fixed admin toolbar adding extra scroll to site pages (#28674) - Renato Costa Fixed double-escaped tag names in social sharing meta tags (#28591) - swithek Fixed silent importer failures by surfacing validation errors (#28546) - Ricardo Sawir Fixed accent color styles disappearing in Admin design preview (#24722) - fueko Fixed {{date}} helper rendering English for zh, zh-Hant, and pa locales (#24949) - Samarth Bagga

[2.6.2] Update cloudflared to 2026.6.1

[2.29.1] Update NodeBB to 4.13.2 Full Changelog register service worker on safari (2ec0987) closes #14355 dont flash unread notif for topics (0e8544b) uids used for priv check (bd7bf5b) dont allow global mods gdpr export (39299bd) prevent uploading thumbs if user does not have upload:image privilege (72defdc) dont mark nids that you don't own read/unread (001e45d) bind hooks module in admin/settings/email define() (#14352) (86fd621) translator.escape chat messages & teasers (7ef400b) closes #14346, make nodebb global available in src/cli (620ab63) closes #14344, fix cron jobs (d23efb4)

[1.22.0] Update hedgedoc to 1.11.0 Full Changelog GHSA-6c2w-8w96-3pcv reports a possible HTML injection via the localpart of an email address. GHSA-qj78-mjch-wwrv reports a possible Denial-of-Service attack using the YAML frontmatter parsing. GHSA-8v9p-5j95-826j reports a possible CSRF attack vector in the GitHub Gist export. GHSA-2f9f-w8xq-276v reports a rate-limiting bypass by abusing the CF-Connecting-IP header. When using Cloudflare in front of HedgeDoc, you should set rateLimitUsingCloudflare in the config.json or CMD_RATE_LIMIT_USING_CLOUDFLARE as environment variable to true. Added a warning page when clicking external links Improve the config.json.example file, which is used by bin/setup Allow configuration of login / signup rate-limits Allow configuration of Cloudflare usage in regards of rate-limits Several improvements in the documentation at https://docs.hedgedoc.org