Cloudron Forum

[2.96.0] Update searxng to 7159b8a

[1.12.9] Update dawarich to 1.7.11 Full Changelog Onboarding "Load demo data" now seeds a fully populated /map/v2 instantly: 30 days of Berlin + a Prague-weekend trip, ~80 visits with tags and places, and stats anchored to the current calendar month. "Remove demo data" wipes everything in one click while preserving anything you've confirmed, edited, or built on top of (visits, trips, places, tags adopted by user action stay). Visits can now be manually assigned to one of your saved areas. When you do, the visit takes the area's name automatically unless you've already given it a custom name, or you've also picked a place (a place name wins over an area name). Available via API now; UI to follow. #2577 Two unused indexes on the points table are dropped on upgrade; on large self-hosted instances this frees several GB of disk. Areas now validate their geometry: radius must be greater than 0, latitude must be within -9090, and longitude within -180180. Invalid values are rejected instead of silently saved. Bumped bundled gems (aws-sdk, devise, jwt, httparty, and others) to close 9 known CVEs. Self-hosters get the security fixes by upgrading. Map v2 Timeline calendar now lights up days that have raw points even before Track or Visit generation has caught up, matching the Insights Activity Overview calendar. #2579 Reverse-geocoding flood: duplicate per-point enqueues are now coalesced for 24 h via a Redis dedup key, retries are capped at 3, and the nightly sweep bypasses (and clears) the dedup so points whose retries were exhausted or whose key still lingers are picked up on the next run. Map v2 visits layer now honours the selected date range. Since 1.7.10 the viewport-bounded visits fetch silently dropped the start_at/end_at filter on the backend, so all visits inside the viewport were rendered regardless of the date filter. #2817 POST /api/v1/visits no longer links a new visit to a place owned by another user. Passing a foreign place_id is ignored the visit gets a place owned by the requester at the requested coordinates, and the response no longer echoes the other user's place id or coordinates. Map v2 settings panel: "Apply Settings" now actually saves your changes. Points rendering mode, speed-colored routes, live mode, and fog-of-war toggles all persist on click and reload. Apply/Reset buttons moved above the Transportation Mode section so they sit inside the outer form. #2680

[2.6.0] Update uptime-kuma to 2.4.0 Full Changelog #7434 feat(notification): add EgoSMS SMS provider for Uganda (Thanks @kristianinc @cursoragent) #7420 feat: Add incidents to RSS (Thanks @dj-tuxis) #7365 feat: Add VKTeams bot notification provider (Thanks @aleshasam) #7433 feat: add optional token field for gamedig monitors (Thanks @aminoacidity) #7415 feat: Adding bearer token (Thanks @aminoacidity @nyeswant) #7431 fix: Add bearer token support to WebSocket upgrade monitor (Thanks @aminoacidity @nyeswant) #7373 fix: update link to documentation about API keys (Thanks @eleanordoesntcode) #7451 fix: handling npm 11.16.0 #7351 fix: NTLM monitor over plain HTTP fails with 400 Bad Request (Thanks @karzac) (Admin only/Authenticated only) Remote Code Execution, a vulnerability from an upstream dependency (Reveal later, ping me if I forgot to reveal)

[2.89.0] Update tt-rss to d253047

[2.7.30] Update mirotalksfu to 2.2.88

[1.4.2] Update sftpgo to 2.7.3 Full Changelog Added a configurable minimum-entropy check (common.secret_min_entropy, default 80) for data-at-rest encryption secrets (CryptFs passphrase, S3 SSE-C key), to reject trivially weak key material at submission time. Logs: added the virtual path to transfer/command logs and to event-log CSV exports. WebClient: replaced glightbox with a custom lightbox implementation for better CSP compatibility. IP list: fixed matching when an IP is covered by multiple conflicting entries. Fixed comparison of unordered slices. Shares: enforce max_tokens atomically via a guarded conditional update, closing a check-then-write race that could let a usage-capped share be used more times than allowed under concurrent access. In-memory reset-code manager: check code expiry at retrieval time instead of relying only on the background cleanup. Fixed a path-confinement bypass in the public browsable-share partial ZIP download. CVE-2026-49244. Fixed a stored XSS where the inline parameter on browsable-share and authenticated user file downloads suppressed Content-Disposition: attachment, allowing an attacker-supplied HTML file to execute in SFTPGo's web origin. These endpoints now always respond with Content-Disposition: attachment and the inline parameter has been removed. CVE-2026-49245. Neutralized CSV formula injection in the Event Manager and event-log CSV exports: cells starting with =, +, -, @, tab or CR are now prefixed with a single quote.

[1.49.0] Update code to 25.04.10.3.1

[1.16.14] Update freescout to 1.8.223 Full Changelog Disabled backward compatibility for old Message-ID format on fetching (Security: GHSA-8vm3-wwq4-ggfx) Improved open tracking hash not to conflict with SpamAssasin (#5431) Fixed signature when moving conversation between mailboxes (#5419) Fixed preg_replace_callback() error in Html2Text (#5433) Fixed prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755) Fixed fetching message sent to multiple mailboxes from own mailbox (#5434)

[4.174.0] Update ghost to 6.43.1 Full Changelog Fixed members-only 403 leaking when llms.txt is disabled (#28260) - Hannah Wolfe Added relative date filters to members and comments (#27787) - Rob Lester Added frontend admin toolbar (#28058) - John O'Nolan Fixed Mastodon social account field mangling input while typing (#28255) - Hannah Wolfe Fixed future filter date selection (#28256) - Jonatan Svennberg Fixed back navigation from post analytics member filters (#28252) - Jonatan Svennberg Fixed theme editor launch gate for allowlisted themes on limited plans (#27970) - Jannis Fedoruk-Betschki Fixed production builds using unpinned dependencies (#28240) - Steve Larson Fixed post analytics missing first-day traffic on later days (#28233) - Troy Ciesco Fixed false update state for API feature image captions (#28107) - Aileen Booker

[1.7.0] Update seaweedfs to 4.30 Full Changelog s3,iceberg: reject .. in URL path vars by @chrislusf in #9687 fix(s3tables/iceberg): make metadata spec-compliant and accept real-world manifest names by @qzhello in #9703 fix(s3): honor MetadataDirective=REPLACE for system metadata on CopyObject by @qzhello in #9721 fix(s3): allow anonymous unsigned-streaming PutObject by @chrislusf in #9727 refactor(filer): remove the inode->path index and the NFS gateway by @chrislusf in #9724 s3, iam, volume, filer, master: add /healthz and /readyz health probes by @MChorfa in #9738 fix(topology): recover heartbeat-fulled volumes once they shrink by @chrislusf in #9742 fix(volume): stop flipping volumes read-only on a non-append-ordered .idx by @chrislusf in #9726 fix(filer.sync): validate chunk size in FilerSink to prevent 0-byte propagation by @kisow in #9701 fix(shell): verify volume.merge output before overwriting replicas by @chrislusf in #9731

[0.16.0] Update rustfs to 1.0.0-beta.6 Full Changelog feat: improve degraded readiness reporting and shutdown handling by @houseme in #3089 feat(tls): add inspect command for TLS layouts by @houseme in #3092 fix: reject invalid multipart part numbers by @overtrue in #3091 fix(helm): add LoadBalancer service type support by @dcode in #3049 fix(readiness): gate on lock quorum health by @houseme in #3100 fix(ecstore): offload erasure encoding from async workers by @marshawcoco in #3099 fix(lock): retry transient distributed lock timeouts by @marshawcoco in #3101 fix(lifecycle): make transition worker resize nonblocking by @GatewayJ in #3090 fix: retry namespace lock quorum contention by @overtrue in #3098 fix(lock): isolate retry attempt lock ids by @houseme in #3102

[2.9.9] Update formbricks to 5.0.2 Full Changelog fix: resolve all pnpm audit vulnerabilities by @mattinannt in #8192 fix: S3 internal server error for older images (backport to release/5.0) by @Dhruwang in #8196 fix: fixes ces rating question's email embed UI (backport to release/5.0) by @Dhruwang in #8181

[1.7.1] Update miniflux to 2.3.1 Full Changelog Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account. Fixed an open redirect vulnerability caused by backslashes in relative redirect URLs. Fixed a potential SQL injection vulnerability in dynamically generated ORDER BY clauses. Hardened metrics endpoint authentication by using constant-time credential comparisons. Fixed an issue where the stdlib cross-origin protection middleware could block legitimate requests in certain self-hosted environments. The middleware has been reverted. Added Korean language support. Improved HTML truncation performance and reduced memory allocations. Optimized feed discovery, subscription detection, date parsing, and tag filtering. Simplified and refactored several storage and query-building components for better maintainability.