Cloudron Forum

[4.6.9] Update PeerTube to 8.1.8 Full Changelog We have learned that the SQL injection vulnerability fixed in v8.1.6 has been exploited at scale since at least May 18, 2026 and so before the v8.1.6 release. According to our investigation, the attacker exploited this SQL injection to generate a token for the root user and install the peertube-plugin-google-analytics-js plugin. This plugin imports a client script from hxxps://www.googie-anaiytics.com/jquery.ui.js that currently only logs a line in the web browser. Automatically remove peertube-plugin-google-analytics-js in v8.1.8 Invalidate OAuth tokens in v8.1.8 (all users must log in again) Add a new user.disable_root_auth config key to disable root token usage Remove the plugin from the plugin registry Upgrade to v8.1.8 as soon as possible Review newly created users and videos Review your instance configuration, especially Configuration -> Customization -> JavaScript/CSS Review installed plugins

[4.9.0] Update etherpad-lite to 3.2.0 Full Changelog HTTP accept X-Forwarded-Prefix and X-Ingress-Path under trustProxy (#7802 / #7806). Admin settings resolved runtime values surface on env-pill chips (#7803 / #7807). Admin pads filter chip now applies server-side, before pagination (#7798). Pad outdated notice author now resolved from token cookie, not session (Qodo #7804 / #7805). Localisation silence spurious "could not translate element content" warning (#7797). CI swap archived ep_readonly_guest for ep_guest in the plugin matrix (#7795 / #7808). Tests admin saveSettings round-trip + cross-restart persistence (#7819 / #7820 / #7821). Bug report template now asks contributors whether the abstraction in their proposed fix matches the rest of the codebase, to head off premature-generalisation fixes earlier in review. ueberdb2 6.0.3 6.1.2 (two patch releases of cleanup on top of the 6.1.0 findKeysPaged API that the 3.1.0 sessionstorage OOM fix relies on). Multiple updates from translatewiki.net.

[2.37.12] Update bedrock to 1.26.23.1

[3.12.5] Update metabase to 0.61.2.6 Full Changelog

[1.37.11] Update uv to 0.11.16

[4.24.0] Update n8n to 2.21.7 Full Changelog core: Acquire expression isolate for scheduled polls (#30742) (6167d4a) core: Validate non-empty prompts in AI vendor nodes before API calls (#30820) (15d0dbb) core: Preserve nested arrays in VM expression engine output (#30333) (f5698a1) core: Introduce native Python code tool for AI agent (#22595) (763b858) core: Add new Chat hub feature for chatting with LLMs and your n8n agent workflows (#23035) (fa1c87f) Google Gemini Node: Introduce built-in Gemini tools (#22454) (f830447) Jira Node: Add OAuth2 (3LO) support (#29414) (4d5bafc) Schedule Node: Fix hourly intervals that don't divide evenly into 24h (#29778) (1a22c76) Figma Trigger Node: Add OAuth2 authentication support (#30079) (e3e70d6) Snowflake Node: Fix issue with Insert and Update operations not working (#29339) (4c369e8)

[1.28.1] Update mattermost to 11.7.1 Full Changelog