Cloudron Forum

[1.56.0] Update LimeSurvey to 6.17.0+260421

[2.11.3] Update prometheus to 3.11.3 Full Changelog [SECURITY] AzureAD remote write: Fix OAuth client_secret being exposed in plaintext via /-/config endpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590 [SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584 [SECURITY] UI: Fix stored XSS via unescaped le label values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588

[1.17.11] Update loomio to 3.0.22 Full Changelog STV (Single Transferable Vote) poll type beta. Anonymous by default, results hidden until the poll closes. The form shows a warning asking users to report bugs and feedback on GitHub. Cloudflare Turnstile challenge on password sign-in, login-token requests, signup, and trial creation. Admin login-link sign-in bypasses the challenge; sign-in with a login code also bypasses it. Fixed SQL injection in HasTimeframe via timeframe_for. Blocked SSRF in the link preview service; link previews now require auth and are throttled to 20/hour per user. Direct upload size limit (25 MB trial, 1 GB paid); blocked dangerous uploads. Bumped vue-i18n to 9.14.5 (XSS + prototype pollution). Refresh a user's groups after joining or being added to a group. Return a token error on session failure when a login token is pending; translate sessions errors server-side; surface server errors on login code entry. Fix demo poll cloning (missing opening_at/opened_at). Translation fixes: needs_a_rethink_meaning, "vote in" "vote on", German typo in discard.

[1.15.3] Update pocketbase to 0.37.4 Full Changelog Added backups list scroll container (#7655). Optimized record upsert and preview modals data loading to minimize layout jumps. Fixed SMTP IPv6 network address format (#7659). Fixed autocomplete selection not properly updating the underlying input value (#7664). Added ghupdate.BaseURL config option (#7665). Added dummy bcrypt password check for the failure auth path to minimize enumeration timing attacks when registrations are disabled. Adjusted Bitbucket, GitHub, GitLab and Gitea/Forgejo OAuth2 providers to better reflect recent API updates and doc references. Fixed a pre-hijacking OAuth2 linking vulnerability (#7662; thanks @Alardiians for reporting it privately). Bumped Go and npm dependencies.

[3.11.0] Update Stirling-PDF to 2.10.0 Full Changelog Users can now set a default startup view and reader zoom preferences for desktop new pixel compare mode in PDF Compare tool to compare formatting and other changes Improved memory efficiency of API calls Improved thumbnail speed and rendering and fixed thumbnail bugs Support AppImage files for desktop release (This is new so please report any bugs you have!) Support RPM Builds for desktop release (This is new so please report any bugs you have!) Support Homebrew, AUR, Scoop and winget for desktop release! More to come soon, as well as for server releases File sharing bugs for SSO users Thumbnail rendering issues Encrypted PDF modal not working

[0.5.0] Update seaweedfs to 4.22 Full Changelog fix(shell): volume.fsck keeps going past a single broken chunk manifest by @chrislusf in #9140 feat(shell): fs.mergeVolumes deletes source needles after filer update by @chrislusf in #9160 feat(security): hot-reload HTTPS certs without restart (k8s cert-manager) by @chrislusf in #9181 fix(master): register EC shards per physical disk on full heartbeat sync (#9212) by @chrislusf in #9219 feat(iam): allow caller-supplied AccessKeyId and SecretAccessKey in CreateAccessKey by @JonNesvold in #9172 fix(s3api): correct SSE-S3 decryption key handling in multipart uploads by @os-pradipbabar in #9211 fix(s3api): stream multipart-SSE chunks lazily to avoid truncated GETs (#8908) by @chrislusf in #9228 feat(credential/postgres): inline policies, mTLS and pgbouncer connection support by @JonNesvold in #9226 fix(nfs): make Linux mount -t nfs work without client workaround (#9199) by @chrislusf in #9201 fix(mount): sanitize non-UTF-8 filenames; keep marshal errors per-request by @chrislusf in #9207

[0.11.0] Update rustfs to 1.0.0-alpha.99 Full Changelog fix(admin): enforce owner check for service account update by @GatewayJ in #2646 feat(obs): support OTLP headers and timeout overrides for HTTP exporters by @houseme in #2661 fix(admin): harden health readiness and add health response controls by @houseme in #2662 fix(console): block disabled health probes from SPA fallback by @overtrue in #2665 fix(oidc): add federated logout flow by @cxymds in #2667 feat(policy): implement BinaryEquals condition evaluation by @RamakrishnaChilaka in #2626 feat(rustfs): gate audit/notify by global env switches by @houseme in #2669 fix(metrics): keep S3 op counts when chains are disabled by @overtrue in #2675 feat(trusted-proxies): add switchable simple and legacy modes by @houseme in #2674 feat(ecstore): enforce local disk topology guardrails and expose device ids by @houseme in #2679

[1.51.3] Update paperless-ngx to 2.20.15 Full Changelog Fix: use only allauth login/logout endpoints @shamoon (#12639) Fix: correctly scope mail account enumeration @shamoon (#12636) Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type @ggouzi (#12597) Fix: reject invalid requests to API notes endpoint @ggouzi (#12582)

[1.16.9] Update freescout to 1.8.218 Full Changelog Added indexes to several tables (#5328) Fixed decoding ISO-2022-JP emails (#5356) Require DB Password and check PHP Path direcotory in tools.php (Security: GHSA-jx2w-fhmw-rg39) Patched PHPUnit (Security: GHSA-qrr6-mg7r-m243) Fixed Helper::linkify() for emails (#5362) Do not allow to merge convesation with itself. Fixed linking messages into conversations (#5372) Fixed fetching emails into multiple mailboxes (#5368) Do not log "Untrusted host" error (#5361) Allow to use CIDR in APP_REMOTE_HOST_WHITE_LIST (#5363)

[1.41.0] Update languagetool to ca899d9

[2.90.0] Update searxng to a7ac696

[1.18.4] Update core to 2026.4.4 Full Changelog Fixed Kodi Media Browsing (@albaintor - #165819) (kodi docs) Fix Victron BLE false reauth on unrecognised advertisement mode bytes (@rajlaud - #168209) (victron_ble docs) Fix case-sensitive MIME type check in Google Generative AI TTS (@MohamedBarrak3 - #168458) (google_generative_ai_conversation docs) Fix MQTT JSON light restoring None color_mode on startup (@noerstad - #168608) (mqtt docs) Add Roborock fan speed validation and error handling (@allenporter - #168623) (roborock docs) Correct state/device class for water in gardena (@elupus - #168637) (gardena_bluetooth docs) Cancel and await idle_start future if the task was canceled after an IMAP connection was lost (@jbouwh - #168662) (imap docs) Validate local_only user property during ws auth phase (@edenhaus - #168812) (http docs) (websocket_api docs) Slow down Tractive API polling to avoid 429 too many requests (@bieniu - #169057) (tractive docs) Validate local_only user for signed requests (@edenhaus - #169066) (http docs)