Cloudron Forum

[1.30.1] Update changedetection.io to 0.55.3 Full Changelog

[1.13.6] Update wiki to 2.5.313 Full Changelog 188d36e - prevent user assignment to elevated groups (commit by @NGPixel) 34cd445 - users + groups permissions assign logic + text hints (commit by @NGPixel)

[1.21.3] Update Wallos to 4.8.4 Full Changelog improve date formatting with IntlDateFormatter fallback (b2c565f) (#1048) (8d43623) missing year for subscription next payment display (ca5823d) (8d43623)

[3.12.1] Update firefly-iii to 6.6.2 Full Changelog MR 12179 (implement password validation JS script) reported by @tasnim0tantawi MR 12182 (fix shrinked sidebar expanding when navigating by clicking on icons) reported by @tasnim0tantawi Issue 12169 (The 'Running balance' column is not showing the respective calculation instantly for new records that use 'Rules') reported by @jgmm81 Issue 12186 (Set a year validator accepted by the system when saving or editing a transaction) reported by @jgmm81 Fixed an issue where oAuth tokens could be generated before you confirmed your 2FA state. This would allow access to your data when your password was stolen, despite you having MFA enabled.

[1.56.0] Update LimeSurvey to 6.17.0+260421

[2.11.3] Update prometheus to 3.11.3 Full Changelog [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590 [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584 [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588

[1.17.11] Update loomio to 3.0.22 Full Changelog STV (Single Transferable Vote) poll type beta. Anonymous by default, results hidden until the poll closes. The form shows a warning asking users to report bugs and feedback on GitHub. Cloudflare Turnstile challenge on password sign-in, login-token requests, signup, and trial creation. Admin login-link sign-in bypasses the challenge; sign-in with a login code also bypasses it. Fixed SQL injection in HasTimeframe via timeframe_for. Blocked SSRF in the link preview service; link previews now require auth and are throttled to 20/hour per user. Direct upload size limit (25 MB trial, 1 GB paid); blocked dangerous uploads. Bumped vue-i18n to 9.14.5 (XSS + prototype pollution). Refresh a user's groups after joining or being added to a group. Return a token error on session failure when a login token is pending; translate sessions errors server-side; surface server errors on login code entry. Fix demo poll cloning (missing opening_at/opened_at). Translation fixes: needs_a_rethink_meaning, "vote in" "vote on", German typo in discard.

[1.15.3] Update pocketbase to 0.37.4 Full Changelog Added backups list scroll container (#7655). Optimized record upsert and preview modals data loading to minimize layout jumps. Fixed SMTP IPv6 network address format (#7659). Fixed autocomplete selection not properly updating the underlying input value (#7664). Added ghupdate.BaseURL config option (#7665). Added dummy bcrypt password check for the failure auth path to minimize enumeration timing attacks when registrations are disabled. Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references. Fixed a pre-hijacking OAuth2 linking vulnerability (#7662; thanks @Alardiians for reporting it privately). Bumped Go and npm dependencies.

[3.11.0] Update Stirling-PDF to 2.10.0 Full Changelog Users can now set a default startup view and reader zoom preferences for desktop new pixel compare mode in PDF Compare tool to compare formatting and other changes Improved memory efficiency of API calls Improved thumbnail speed and rendering and fixed thumbnail bugs Support AppImage files for desktop release (This is new so please report any bugs you have!) Support RPM Builds for desktop release (This is new so please report any bugs you have!) Support Homebrew, AUR, Scoop and winget for desktop release! More to come soon, as well as for server releases File sharing bugs for SSO users Thumbnail rendering issues Encrypted PDF modal not working

[0.5.0] Update seaweedfs to 4.22 Full Changelog fix(shell): volume.fsck keeps going past a single broken chunk manifest by @chrislusf in #9140 feat(shell): fs.mergeVolumes deletes source needles after filer update by @chrislusf in #9160 feat(security): hot-reload HTTPS certs without restart (k8s cert-manager) by @chrislusf in #9181 fix(master): register EC shards per physical disk on full heartbeat sync (#9212) by @chrislusf in #9219 feat(iam): allow caller-supplied AccessKeyId and SecretAccessKey in CreateAccessKey by @JonNesvold in #9172 fix(s3api): correct SSE-S3 decryption key handling in multipart uploads by @os-pradipbabar in #9211 fix(s3api): stream multipart-SSE chunks lazily to avoid truncated GETs (#8908) by @chrislusf in #9228 feat(credential/postgres): inline policies, mTLS and pgbouncer connection support by @JonNesvold in #9226 fix(nfs): make Linux mount -t nfs work without client workaround (#9199) by @chrislusf in #9201 fix(mount): sanitize non-UTF-8 filenames; keep marshal errors per-request by @chrislusf in #9207

[0.11.0] Update rustfs to 1.0.0-alpha.99 Full Changelog fix(admin): enforce owner check for service account update by @GatewayJ in #2646 feat(obs): support OTLP headers and timeout overrides for HTTP exporters by @houseme in #2661 fix(admin): harden health readiness and add health response controls by @houseme in #2662 fix(console): block disabled health probes from SPA fallback by @overtrue in #2665 fix(oidc): add federated logout flow by @cxymds in #2667 feat(policy): implement BinaryEquals condition evaluation by @RamakrishnaChilaka in #2626 feat(rustfs): gate audit/notify by global env switches by @houseme in #2669 fix(metrics): keep S3 op counts when chains are disabled by @overtrue in #2675 feat(trusted-proxies): add switchable simple and legacy modes by @houseme in #2674 feat(ecstore): enforce local disk topology guardrails and expose device ids by @houseme in #2679

[1.51.3] Update paperless-ngx to 2.20.15 Full Changelog Fix: use only allauth login/logout endpoints @shamoon (#12639) Fix: correctly scope mail account enumeration @shamoon (#12636) Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type @ggouzi (#12597) Fix: reject invalid requests to API notes endpoint @ggouzi (#12582)