Cloudron Forum

[2.7.34] Update mirotalksfu to 2.2.96

[1.13.0] Update dawarich to 1.8.0 Full Changelog "What's New" changelog notices in the navbar. Self-hosted users are asked once before any external request and the widget loads only after opt-in; Cloud users see it automatically. Toggle anytime in Settings General, or point it at your own instance with CHIBICHANGE_WIDGET_HOST and CHIBICHANGE_SLUG. ChibiChange will be open-sourced soon. Sign in with Apple on the web (Dawarich Cloud only) Opt-in non-ML "stay-point" visit detection, behind the per-user stay_point_detection flag (default off). A single-pass dwell detector that fixes the old clusterer's slow-stay false-rejects and dead-battery gap splits, and stores a 0100 confidence score per suggested visit (exposed via the API). #2832 Map v2 Timeline: every visit now has a search icon to find the real place by name a type-as-you-go geocoder (Photon) lookup biased to the visit's location, each result showing category, distance, and nearby saved Areas. Pick a result to label the visit or create a new place on the spot; choosing a far-away place asks before relocating it. Declining a visit is now deleting a visit. Decline (per-visit, "Delete all" for a day, the bulk bar, and the Map v2 area-selection card) is replaced by Delete, which confirms and removes the visit entirely; your location points are always kept. The "Declined" filter and Restore action are removed. Globe view is enabled by default for Pro and self-hosted users. The map's Places layer no longer floods with a marker for every suggested visit it now shows only places you created manually, attached to a confirmed visit, or tagged. GET /api/v1/places accepts a filter parameter to override: all, manual, confirmed, or tagged. Deleting a single point on the map (via its info card) now redraws the connecting route immediately instead of leaving a stale line until reload. (#2844) The official Traccar client app is now supported directly. Its payload nests coordinates, battery and activity one level deeper than Dawarich's own client, so its points were silently dropped; both shapes are now accepted. #2741 Deleting an import now also removes any tracks left with no points, instead of leaving empty "ghost" tracks on the map and timeline. Connected maps drop the removed track right away. #2825

[1.10.1] Update 2FAuth to 7.0.1 Full Changelog issue #548 Sharing actions only available in "Show Password: After a Click/Tab" view, not obvious to users

[1.13.5] Update ollama to 0.30.7 Full Changelog Hermes Desktop is now available via ollama launch hermes-desktop with native Windows configuration path support OpenAI-compatible API models list now aligns with available model tags Added documentation describing the llama.cpp update process Updated Zod schema examples to use the native toJSONSchema helper Full Changelog: https://github.com/ollama/ollama/compare/v0.30.6...v0.30.7

[1.58.0] Update matomo to 5.11.0 Full Changelog SitesManager.addSite and SitesManager.updateSite now accept an optional description parameter (up to 255 characters). Site entities returned by the SitesManager APIs now include a description field. CustomDimensions.configureNewCustomDimension and CustomDimensions.configureExistingCustomDimension now accept an optional description parameter (up to 1000 characters) to provide additional context for a custom dimension. New ViewDataTable display properties were added: Config::$report_supports_flatten, Config::$show_flatten_table_export and Config::$export_parameters_to_modify / RequestConfig::$export_parameters_to_modify, allowing reports to control flattening availability and export link parameters independently of the UI. New Vue components are exported from CoreHome for use by plugins: MatomoModal, DraggableList and SearchInput. Themes can now customize the alternative border color using @theme-color-border-alternative. ScheduledReports.sendReport now accepts range as period parameter. CSV/TSV exports now replace carriage return characters in values with spaces (in addition to tabs). The theme variable @theme-color-border (ThemeStyles::$colorBorder) is deprecated; use @theme-color-border-alternative instead.

[1.17.3] Update pocketbase to 0.39.3 Full Changelog Fixed JS error on file settings maxSelect change (#7731). Apply the Ctrl+S record panel save shortcut only if it is the current top open modal. Fixed number settings validator to not ignore 0 max value. Normalized field settings validation error messages and tooltips.

[3.14.0] Update metabase to 0.61.4

[1.16.3] Update docuseal to 3.0.3 Full Changelog Allow to zoom-in template builder page with Ctrl/Cmd+Mouse Wheel Scroll Bug fixes, security hardening and performance improvements Allow to replace documents from google drive

[1.23.2] Update gogs to 0.14.3 Full Changelog Security: Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in [auth] TRUSTED_PROXY_IPS. #8264 - GHSA-w6j9-vw59-27wv Security: Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. #8263 - GHSA-c4v7-xg93-qf8g Security: Denial of service when rendering issue references against a malformed external issue tracker URL format. #8312 - GHSA-4j89-2c4f-44c6 Security: Stored XSS in Jupyter notebook (.ipynb) preview through Markdown links with javascript: URLs. #8319 - GHSA-jq8v-rmf6-65jw Security: Missing authorization check on the attachment download endpoint allowed anyone who knew (or guessed) an attachment UUID to download files belonging to private repositories. #8320 - GHSA-p9f5-h3rx-j5qw Security: Remote command execution via pull request rebase merges with crafted branch names. #8301 - GHSA-qf6p-p7ww-cwr9 Security: Arbitrary file write outside the repository working tree via crafted upload filename routed through a committed directory symlink. #8332 - GHSA-89mr-xqfv-758m Security: Remote code execution via path traversal in organization names accepted through the API. #8334 - GHSA-c39w-43gm-34h5 Security: Stalled SSH handshakes pinned a file descriptor and goroutine indefinitely. The built-in SSH server now drops connections that do not complete the handshake within 15 seconds. #8335 - GHSA-xp79-5mx3-jx52 Security: Organization metadata and team list endpoints were reachable without authentication. #8336 - GHSA-744x-3838-5r56

[3.49.1] Update openproject to 17.4.1 Full Changelog CVE-2026-47193 - Journal diff endpoint bypasses object, journal, and field visibility checks CVE-2026-49355 - Private work package data disclosure through single meeting agenda item API GHSA-3vpx-94qx-xpw6 - IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources GHSA-6crw-7f5r-4qj9 - CSRF on TARGET through /users/:id via POST parameter "user[admin]" GHSA-98vw-2r87-fx2r - SQL injection in timestamps functionality GHSA-h83w-5q5x-pq27 - Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure GHSA-q33w-f822-hg8x - Stored XSS on openproject.example.com through /api/v3/projects/{project}/work_packages via POST parameter "description" GHSA-qj96-f42f-6336 - Cache store poisoning leads to Remote Code Execution (RCE) Bugfix: Migration 2025092 failing due to update code failing on not-yet fully migrated schema [#75286]

[1.9.0] Update seaweedfs to 4.32 Full Changelog fix(http): check delete request errors before auth by @7y-9 in #9784 security: hot-reload JWT signing keys on SIGHUP by @chrislusf in #9826 [CheckDisk]: implement disk health detection by @MilanFun in #9560 ec placement: spread EC shards evenly across machines, not onto the lowest-id one by @chrislusf in #9855 fix(s3/lifecycle): report success to admin via JobCompleted by @ahalaun in #9787 fix(s3api): authorize DeleteObjects per key so object-scoped policies match by @chrislusf in #9793 fix(iam): implement CreatePolicyVersion for managed policies by @chrislusf in #9795 feat(filer.backup): -initialSnapshot re-seeds a reinitialized destination by @kisow in #9828 sftpd: support SSH user certificates signed by a trusted CA by @FabianHardt in #9815 fix(helm): suspend bucket versioning for YAML bool false by @lexfrei in #9836

[4.1.1] Update moodle to 5.2.1 Full Changelog

[1.57.5] Update LimeSurvey to 6.17.5+260527

[2.90.0] Update tt-rss to d441735