Cloudron Forum

[2.7.30] Update mirotalksfu to 2.2.88

[1.4.2] Update sftpgo to 2.7.3 Full Changelog Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time. Logs: added the virtual path to transfer/command logs and to event-log CSV exports. WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility. IP list: fixed matching when an IP is covered by multiple conflicting entries. Fixed comparison of unordered slices. Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access. In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup. Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244. Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245. Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.

[1.40.0] Update koel to 9.5.0 Full Changelog Subsonic API support (Learn more) fix: silent OOM on Searchable save with TNT driver on Laravel 13 by @phanan in #2528 Full Changelog: https://github.com/koel/koel/compare/v9.4.2...v9.5.0

[1.49.0] Update code to 25.04.10.3.1

[1.16.14] Update freescout to 1.8.223 Full Changelog Disabled backward compatibility for old Message-ID format on fetching (Security: GHSA-8vm3-wwq4-ggfx) Improved open tracking hash not to conflict with SpamAssasin (#5431) Fixed signature when moving conversation between mailboxes (#5419) Fixed preg_replace_callback() error in Html2Text (#5433) Fixed prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755) Fixed fetching message sent to multiple mailboxes from own mailbox (#5434)

[4.174.0] Update ghost to 6.43.1 Full Changelog Fixed members-only 403 leaking when llms.txt is disabled (#28260) - Hannah Wolfe Added relative date filters to members and comments (#27787) - Rob Lester Added frontend admin toolbar (#28058) - John O'Nolan Fixed Mastodon social account field mangling input while typing (#28255) - Hannah Wolfe Fixed future filter date selection (#28256) - Jonatan Svennberg Fixed back navigation from post analytics member filters (#28252) - Jonatan Svennberg Fixed theme editor launch gate for allowlisted themes on limited plans (#27970) - Jannis Fedoruk-Betschki Fixed production builds using unpinned dependencies (#28240) - Steve Larson Fixed post analytics missing first-day traffic on later days (#28233) - Troy Ciesco Fixed false update state for API feature image captions (#28107) - Aileen Booker

[1.7.0] Update seaweedfs to 4.30 Full Changelog s3,iceberg: reject .. in URL path vars by @chrislusf in #9687 fix(s3tables/iceberg): make metadata spec-compliant and accept real-world manifest names by @qzhello in #9703 fix(s3): honor MetadataDirective=REPLACE for system metadata on CopyObject by @qzhello in #9721 fix(s3): allow anonymous unsigned-streaming PutObject by @chrislusf in #9727 refactor(filer): remove the inode->path index and the NFS gateway by @chrislusf in #9724 s3, iam, volume, filer, master: add /healthz and /readyz health probes by @MChorfa in #9738 fix(topology): recover heartbeat-fulled volumes once they shrink by @chrislusf in #9742 fix(volume): stop flipping volumes read-only on a non-append-ordered .idx by @chrislusf in #9726 fix(filer.sync): validate chunk size in FilerSink to prevent 0-byte propagation by @kisow in #9701 fix(shell): verify volume.merge output before overwriting replicas by @chrislusf in #9731

[0.16.0] Update rustfs to 1.0.0-beta.6 Full Changelog feat: improve degraded readiness reporting and shutdown handling by @houseme in #3089 feat(tls): add inspect command for TLS layouts by @houseme in #3092 fix: reject invalid multipart part numbers by @overtrue in #3091 fix(helm): add LoadBalancer service type support by @dcode in #3049 fix(readiness): gate on lock quorum health by @houseme in #3100 fix(ecstore): offload erasure encoding from async workers by @marshawcoco in #3099 fix(lock): retry transient distributed lock timeouts by @marshawcoco in #3101 fix(lifecycle): make transition worker resize nonblocking by @GatewayJ in #3090 fix: retry namespace lock quorum contention by @overtrue in #3098 fix(lock): isolate retry attempt lock ids by @houseme in #3102

[2.9.9] Update formbricks to 5.0.2 Full Changelog fix: resolve all pnpm audit vulnerabilities by @mattinannt in #8192 fix: S3 internal server error for older images (backport to release/5.0) by @Dhruwang in #8196 fix: fixes ces rating question's email embed UI (backport to release/5.0) by @Dhruwang in #8181