Cloudron Forum

[4.152.2] Update ghost to 6.19.2 Full Changelog Fixed alerts positioning inside the editor (#​26510) - Kevin Ansfield Fixed double-encoded HTML entities in email newsletter cards (#​26498) - Kevin Ansfield Fixed comments-ui permalink crash when iframe is detached - Rob Lester Fixed member filters with multiple date based filters returning incorrect results (#​26458) - renovate[bot] Fixed settings page not scrollable on mobile (#​26477) - Kevin Ansfield Hid "open in your email app" button on iOS, where it's unreliable (#​26449) - Evan Hahn Fixed Portal crash when navigating via hash links on a page (#​26445) - Kevin Ansfield

[1.0.0] Update glpi to 11.0.5 Full Changelog [SECURITY - MODERATE] Session stealing on externally authenticated user change (CVE-2026-23624) [SECURITY - HIGH] Remote Code Execution via malicious upload (CVE-2026-22248) [SECURITY - MODERATE] SSRF via Webhooks (CVE-2026-22247)

[1.5.4] Update keycloak to 26.5.4 Full Changelog CVE-2026-1190 - Keycloak SAML brokering: Response delay due to unchecked NotOnOrAfter in SubjectConfirmationData saml CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass CVE-2025-5416 keycloak-core: Keycloak Environment Information CVE-2026-2575 - Denial of Service due to excessive SAMLRequest decompression saml CVE-2026-2733 Missing Check on Disabled Client for Docker Registry Protocol New key affinity for session ids "Update email" AIA: "Back to Application" URL invokes OIDC callback with missing parameters oidc Client deletion timeout due to large number of client roles storage auth_mellon (SAML) authentication fails after upgrade to 26.5.1 (from 26.4.6) saml Information Disclosure of Client Secret on Unauthenticated Config Endpoint oidc

[1.23.1] Update gogs to 0.14.2 Full Changelog Security: Cross-repository LFS object overwrite via missing content hash verification. #​8166 - GHSA-gmf8-978x-2fg2 Security: Stored XSS via data URI in issue comments. #​8174 - GHSA-xrcr-gmf5-2r8j Security: Release tag option injection in release deletion. #​8175 - GHSA-v9vm-r24h-6rqm Security: Stored XSS in branch and wiki views through author and committer names. #​8176 - GHSA-vgvf-m4fw-938j Security: DOM-based XSS via issue meta selection on the issue page. #​8178 - GHSA-vgjm-2cpf-4g7c Unable to update files via web editor and API. #​8184

[1.14.11] Update AdGuardHome to 0.107.72 Full Changelog The TLS certificate and key files are now being tracked for updates, which trigger a reload ([#​3962]). New query parameter recent in GET /control/stats/ defines statistics lookback period in millieseconds. See openapi/openapi.yaml for details. New field "ignored_enabled" in GetStatsConfigResponse or GetQueryLogConfigResponse. See openapi/openapi.yaml for details. In addition to modifying the contents of a hosts file, deleting or renaming the file now also updates runtime clients and DNS filtering results. In this release, the schema version has changed from 32 to 33. Added a new boolean field ignored_enabled in querylog and statistics config. Executable permissions in some Docker installations ([#​8237]). Unknown blocked services from both global and client configuration now logged instead of causing server crash.

[3.10.15] Update firefly-iii to 6.4.23 Full Changelog Issue 11734 (Cache is not cleared for "no category" overview monthly blocks) reported by @​JC5 Issue 11735 (health endpoint no longer performant) reported by @​grgar Discussion 11736 (Deposit from a Liability & the default financial report) started by @​dratze98 Issue 11738 (API endpoint api/v1/batch/finish does not work) reported by @​JC5 Issue 11744 (Webhook and rule execution for imported transactions) reported by @​mleck28 Issue 11752 (ErrorException in OperatorQuerySearch.php when using tag_starts or tag_ends operators via API) reported by @​travelr Issue 11757 ("Remember Me" cookie expires after 1 minute) reported by @​michaeljandrews Invitee mail message would error out, reported over mail. Thanks!

[2.37.1] Update bedrock to 1.26.1.1

[1.30.0] Update calibre to 9.3.0