Cloudron Forum

[1.6.13] Update v2 to 2.2.19 Full Changelog Remove sensitive values (CSRF tokens, OAuth state, session cookies) from log messages. Verify OIDC ID token signatures and claims. Prevent OAuth identity overwrite when already linked. Clear PKCE verifier and CSRF state after use. Validate HTTP status from Google userinfo endpoint. Use HMAC-SHA256 instead of SHA1 for Google Reader API authentication. Use constant-time comparison for token validation. Fix potential DoS when truncating large untrusted input in templates. Reject oversized favicons.

[0.5.0] Update contacts to 0.5.0 Remove app internal app passwords in favor of built-in Cloudron ones Improve phone number search Various UI fixes Update dependencies

[3.10.2] Update Stirling-PDF to 2.9.2 Full Changelog hotfix for folder scanning issues

[1.13.2] Update dolibarr to 23.0.2 Full Changelog FIX: #​37412 Better fix FIX: #​37461 #​37511 Accountancy - Bank journal - Problem of cache (#​37603) FIX: #​37482 FIX: #​37551 Accounting - Use better rights on create / export entry (#​37555) FIX: #​37707 FIX: #​37707 Can pay supplier invoices with the same parent company FIX: Accountancy - Need more information about mandatory step in various journal (#​37573) FIX: - Added user filtering for displaying leave in the calendar (#​37385) FIX: Add http code 503 on deadlock FIX: API Warehouse : Error 401 when getting warehouse by id (backport from 22)

[1.28.1] Update navidrome to 0.61.1 Full Changelog This patch release addresses a WebP performance regression on low-power hardware introduced in v0.61.0, adds a new EnableWebPEncoding config option and a configurable UI cover art size, and includes several Subsonic API and translation fixes. | New | EnableWebPEncoding | Opt-in to WebP encoding for resized artwork. When false (default), Navidrome uses JPEG/PNG (preserving the original source format), avoiding the WebP WASM encoder overhead that caused slow image processing on low-power hardware in v0.61.0. Set to true to re-enable WebP output. Replaces the internal DevJpegCoverArt flag. (#​5286) | false | | New | UICoverArtSize | Size (in pixels, 2001200) of cover art requested by the web UI. It was increased from 300px to 600px in 0.61.0; now configurable and defaulting to 300px to reduce image encoding load on low-power hardware. Users on capable hardware can raise it for sharper thumbnails. (#​5286) | 300 | | Changed | DevArtworkMaxRequests | Default lowered from max(4, NumCPU) to max(2, NumCPU/2) to reduce load on low-power hardware. (#​5286). (Note: this is an internal configuration and can be removed in future releases) | max(2, NumCPU/2) | | Removed | DevJpegCoverArt | Replaced by the user-facing EnableWebPEncoding option. (#​5286) | |

[1.17.8] Update kanboard to 1.2.52 Full Changelog fix: revoke public tokens for inactive users fix: use timing-safe comparison for token validation fix: validate task ownership before applying property changes fix: enforce visibility controls for public and unprivileged access fix: use parameterized queries in task finder and iCal

[1.8.1] Update ollama to 0.20.2 Full Changelog app: default app home view to new chat instead of launch by @​jmorganca in #​15312 bench: add prompt calibration, context size flag, and NumCtx reporting by @​dhiltgen in #​15158 model/parsers: fix gemma4 arg parsing when quoted strings contain " by @​drifkin in #​15254 ggml: skip cublasGemmBatchedEx during graph reservation by @​jessegross in #​15301 gemma4: enable flash attention by @​dhiltgen in #​15296 ggml: fix ROCm build for cublasGemmBatchedEx reserve wrapper by @​jessegross in #​15305 model/parsers: rework gemma4 tool call handling by @​drifkin in #​15306

[2.6.28] Update mirotalksfu to 2.1.84

[4.161.0] Update ghost to 6.26.0 Full Changelog Restored Renovate automerge rebasing - Hannah Wolfe Added slug to members tier filter search - Rob Lester

[1.29.7] Update changedetection.io to 0.54.8 Full Changelog CVE-2026-35490 - Authentication Bypass via Decorator Ordering Extendable theme pluggy implementation by @​dgtlmoon in #​4011

[1.12.4] Update recipes to 2.6.4 Full Changelog added Household setup page and default creation to welcome stepper added django migration records to admin fixed food shopping sub endpoint not validating amount and unit inputs https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-8w8h-3pv2-3554 fixed a shared user could make changes to a book trough the API https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f fixed style tags allowed in rendered markdown could lead to CSS injection in third party clients that did not properly clean the output on the frontend https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-9hhh-g2fc-r8x2 fixed recipe batch update endpoint could be used to update private recipes of other space members if the ID was known https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-v8x3-w674-55p5 fixed performance issues on some admin views fixed admins can accidentally lock themselves out of their space fixed category order jumping in shopping list when checking and not having any supermarket selected #​4446 fixed selecting no supermarket in shopping not working

[1.16.3] Update freescout to 1.8.212 Full Changelog Take limit_user_customer_visibility parameter into account when merging customers (Security) Check if conversation IDs match when marking thread as read (Security) Fixed fetching emails with deeply nested HTML (#​5304) Fixed "Passing null to parameter" error in Html2Text (#​5306) Fixed "Incomplete object" error on Status page (#​5307)

[1.9.2] Update 2FAuth to 6.1.3 Full Changelog issue #​533 Try my luck feature is currently grayed out Some minor UI glitches