Cloudron Forum

[1.16.3] Update docuseal to 3.0.3 Full Changelog Allow to zoom-in template builder page with Ctrl/Cmd+Mouse Wheel Scroll Bug fixes, security hardening and performance improvements Allow to replace documents from google drive

[1.23.2] Update gogs to 0.14.3 Full Changelog Security: Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in [auth] TRUSTED_PROXY_IPS. #8264 - GHSA-w6j9-vw59-27wv Security: Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. #8263 - GHSA-c4v7-xg93-qf8g Security: Denial of service when rendering issue references against a malformed external issue tracker URL format. #8312 - GHSA-4j89-2c4f-44c6 Security: Stored XSS in Jupyter notebook (.ipynb) preview through Markdown links with javascript: URLs. #8319 - GHSA-jq8v-rmf6-65jw Security: Missing authorization check on the attachment download endpoint allowed anyone who knew (or guessed) an attachment UUID to download files belonging to private repositories. #8320 - GHSA-p9f5-h3rx-j5qw Security: Remote command execution via pull request rebase merges with crafted branch names. #8301 - GHSA-qf6p-p7ww-cwr9 Security: Arbitrary file write outside the repository working tree via crafted upload filename routed through a committed directory symlink. #8332 - GHSA-89mr-xqfv-758m Security: Remote code execution via path traversal in organization names accepted through the API. #8334 - GHSA-c39w-43gm-34h5 Security: Stalled SSH handshakes pinned a file descriptor and goroutine indefinitely. The built-in SSH server now drops connections that do not complete the handshake within 15 seconds. #8335 - GHSA-xp79-5mx3-jx52 Security: Organization metadata and team list endpoints were reachable without authentication. #8336 - GHSA-744x-3838-5r56

[3.49.1] Update openproject to 17.4.1 Full Changelog CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks CVE-2026-49355 - Private work package data disclosure through single meeting agenda item API GHSA-3vpx-94qx-xpw6 - IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]" GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description" GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE) Bugfix: Migration 2025092 failing due to update code failing on not-yet fully migrated schema [#75286]

[1.9.0] Update seaweedfs to 4.32 Full Changelog fix(http): check delete request errors before auth by @7y-9 in #9784 security: hot-reload JWT signing keys on SIGHUP by @chrislusf in #9826 [CheckDisk]: implement disk health detection by @MilanFun in #9560 ec placement: spread EC shards evenly across machines, not onto the lowest-id one by @chrislusf in #9855 fix(s3/lifecycle): report success to admin via JobCompleted by @ahalaun in #9787 fix(s3api): authorize DeleteObjects per key so object-scoped policies match by @chrislusf in #9793 fix(iam): implement CreatePolicyVersion for managed policies by @chrislusf in #9795 feat(filer.backup): -initialSnapshot re-seeds a reinitialized destination by @kisow in #9828 sftpd: support SSH user certificates signed by a trusted CA by @FabianHardt in #9815 fix(helm): suspend bucket versioning for YAML bool false by @lexfrei in #9836

[4.1.1] Update moodle to 5.2.1 Full Changelog

[1.57.5] Update LimeSurvey to 6.17.5+260527

[2.90.0] Update tt-rss to d441735

[1.51.0] Update code to 26.04.1.4.1

[1.43.0] Update koel to 9.8.0 Full Changelog feat: rate podcasts by @phanan in #2550 fix: prevent frontend test runs from breaking the dev server by @phanan in #2552 fix: make no-hover variant actually apply on touch devices by @phanan in #2551 feat: play album/artist from row thumbnails on hover by @phanan in #2553 fix: shrink carousel overscroll mask on mobile by @phanan in #2556 fix: hide carousel scroll buttons when the track fits by @phanan in #2555 fix: make ScreenHeaderSkeleton responsive on mobile by @phanan in #2561 fix: follow redirects when fetching podcast feeds by @phanan in #2564 feat: add koel:storage:webdav setup command by @phanan in #2563

[2.97.0] Update searxng to 86903a2

[1.20.1] Update core to 2026.6.1 Full Changelog Fix SleepIQ 401 storm by isolating client session cookies (@Stormalong - #172276) (sleepiq docs) Switchbot Cloud: Fixed an issue where condition filtering for enabled Webhooks was abnormal (@XiaoLing-git - #172903) (switchbot_cloud docs) Add more Reolink diagnostic info (@starkillerOG - #172945) (reolink docs) Fix Mitsubishi Comfort devices skipped due to unresolved local address (@nikolairahimi - #172959) (mitsubishi_comfort docs) Fix value template in MQTT Fan and Siren subentry setup (@jbouwh - #172980) (mqtt docs) Fix person in_zones propagation from scanner in home zone (@emontnemery - #173007) (person docs) Fix Duco mode end time sensor name (@ronaldvdmeer - #173045) (duco docs) Create certificate files before trying to migrate the MQTT config entry (@jbouwh - #173087) (mqtt docs) Fix process advertisement for active scans (@elupus - #173116) (bluetooth docs)

[1.48.0] Update languagetool to 8e9c034

[1.14.0] set the default charset to utf8mb4 See docs on how to migrate the charset of an existing instance

[2.16.0] Update vpn to 2.16.0 Move config database to sqlite

[1.17.2] Update pocketbase to 0.39.2 Full Changelog Fixed records list UI sorting (#7724). Don't clear the date input on invalid value while still typing (#7726). Return filepath.SkipDir in the pb_hooks dirs watcher to avoid unnecessary iterating over node_modules and .* prefixed hidden dirs (.DS_Store, .git, etc.). Show the "Affected rows" SQL console message only if non-empty to avoid ambiguity with drivers that don't support returning the affected rows count. Updated modernc.org/sqlite to v1.52.0 (SQLite 3.53.2).