Cloudron Forum

[4.6.9] Update PeerTube to 8.1.8 Full Changelog We have learned that the SQL injection vulnerability fixed in v8.1.6 has been exploited at scale since at least May 18, 2026 and so before the v8.1.6 release. According to our investigation, the attacker exploited this SQL injection to generate a token for the root user and install the peertube-plugin-google-analytics-js plugin. This plugin imports a client script from hxxps://www.googie-anaiytics.com/jquery.ui.js that currently only logs a line in the web browser. Automatically remove peertube-plugin-google-analytics-js in v8.1.8 Invalidate OAuth tokens in v8.1.8 (all users must log in again) Add a new user.disable_root_auth config key to disable root token usage Remove the plugin from the plugin registry Upgrade to v8.1.8 as soon as possible Review newly created users and videos Review your instance configuration, especially Configuration -> Customization -> JavaScript/CSS Review installed plugins

[1.16.12] Update freescout to 1.8.221 Full Changelog Links to attachments uploaded before the FreeScout version of 2020-03-06 will become unavailable. This is a breaking change. Improved permissions check when deleting notes (Security: GHSA-9vx8-gx3p-9mh6) Improved permissions check when editing messages (GHSA-3w38-h42v-3h6w) Fixed signature when moving conversations between mailboxes (#5419) Optimized Helper::stripDangerousTags() to avoid pcre.backtrack_limit hit (#5424) Show detailed error on uploading attachments (#5426) Deprecated links to attachments without a token (Security: GHSA-wg74-ww4w-2qpc) Updated module activation logic.

[4.9.0] Update etherpad-lite to 3.2.0 Full Changelog HTTP accept X-Forwarded-Prefix and X-Ingress-Path under trustProxy (#7802 / #7806). Admin settings resolved runtime values surface on env-pill chips (#7803 / #7807). Admin pads filter chip now applies server-side, before pagination (#7798). Pad outdated notice author now resolved from token cookie, not session (Qodo #7804 / #7805). Localisation silence spurious "could not translate element content" warning (#7797). CI swap archived ep_readonly_guest for ep_guest in the plugin matrix (#7795 / #7808). Tests admin saveSettings round-trip + cross-restart persistence (#7819 / #7820 / #7821). Bug report template now asks contributors whether the abstraction in their proposed fix matches the rest of the codebase, to head off premature-generalisation fixes earlier in review. ueberdb2 6.0.3 6.1.2 (two patch releases of cleanup on top of the 6.1.0 findKeysPaged API that the 3.1.0 sessionstorage OOM fix relies on). Multiple updates from translatewiki.net.

[2.37.12] Update bedrock to 1.26.23.1

[3.12.5] Update metabase to 0.61.2.6 Full Changelog

[1.37.11] Update uv to 0.11.16

[4.24.0] Update n8n to 2.21.7 Full Changelog core: Acquire expression isolate for scheduled polls (#30742) (6167d4a) core: Validate non-empty prompts in AI vendor nodes before API calls (#30820) (15d0dbb) core: Preserve nested arrays in VM expression engine output (#30333) (f5698a1) core: Introduce native Python code tool for AI agent (#22595) (763b858) core: Add new Chat hub feature for chatting with LLMs and your n8n agent workflows (#23035) (fa1c87f) Google Gemini Node: Introduce built-in Gemini tools (#22454) (f830447) Jira Node: Add OAuth2 (3LO) support (#29414) (4d5bafc) Schedule Node: Fix hourly intervals that don't divide evenly into 24h (#29778) (1a22c76) Figma Trigger Node: Add OAuth2 authentication support (#30079) (e3e70d6) Snowflake Node: Fix issue with Insert and Update operations not working (#29339) (4c369e8)

[2.7.25] Update mirotalksfu to 2.2.82

[1.19.3] Update core to 2026.5.3 Full Changelog Improve iaqualink 429 handling (@flz - #170231) (iaqualink docs) Fix Apple TV keyboard focus binary_sensor missing on cold start (@kroehre - #170360) (apple_tv docs) Add tilt controls for UpDownSheerScreen in Overkiz (@dankarization - #170563) (overkiz docs) Fix ValueError when turning on blebox light with brightness set to 0 (@bkobus-bbx - #170769) (blebox docs) Populate uid and recurrence_id in CalDAV calendar events (@frenck - #170910) (caldav docs) Fix utility meter next_reset shifting forward on entity rename (@frenck - #170957) (utility_meter docs) Fix shorthand template conditions in choose blocks crashing all automations (@frenck - #171018) Fix time trigger crash when using entity_id dict format without offset (@frenck - #171006) (homeassistant docs) Fix ZHA config entries using a URI without a port (@puddly - #171164) (zha docs) Prevent Google Assistant entity sync from blocking startup (@frenck - #170991) (google_assistant docs)