Note
We've been working actively on working torwards version 1.0 which will include many improvements to performance, security and the overall look & feel of Homarr. It will greatly overhaul the technical architecture of Homarr. This work is done by volunteers. Please consider supporting our work via donations at https://opencollective.com/homarr
🔒 Security patch v0.15.8 🔒
Caution
Please update your Homarr instance to this new version. Versions before <0.15.8 contain two vulnerabilities:
- Allow an admin user to add arbitrary JavaScript code to other users board (aka. XSS or cross site-scripting). We implemented a fix where JavaScript is no longer being executed.
- Any logged in user to create a file on your filesystem (or inside your docker container). This shouldn't be dangerous when running Docker but could lead to dangerous situations if you run Homarr bare-metal using
root. At this time, full RCE doesn't seem possible but creating files is possible.
Fix broken avatars in Jellyseer
For some users avatars were broken in Jellyseerr. Thanks to @TyxTang for fixing it
Fix broken translations in the DNS hole widget
Some timer modal for dns-hole translations did not work. Thanks to @marius-arch