Security fixes
- Improper Access Control for Organization Owners Exposes System Secrets CVE-2026-50165 reported by @wodzen
- Arbitrary File Read and Exfil via simpleHttpClient Extension Script CVE-2026-41412 reported by @Et43
- Authenticated RCE via Extension Script Sandbox Escape CVE-2026-35482 reported by @Et43
What's Changed
- Custom Offline Payments by @shanebrowncs in #1433
- add robots.txt by @syjer in #1478
- revert use of jackson module, use explicit annotation, as we have found some issues #1482 by @syjer in #1489
- don't trigger the session handler for the admin static content by @syjer in #1484
- remove unused queries from repository and manager/service by @syjer in #1485
- fix: keep session (and authentication) on PayPal callback by @cbellone in #1495
- Display additional info at check in by @cbellone in #1434
- add flag to consider only calendar days when calculating a payment expiration date by @cbellone in #1499
- Attendee (reservation) import API by @cbellone in #1498
- Fix/turnstile script id and token logging by @KolossvonRhodos in #1509
- Add sponsors section to README by @ALinares3 in #1510
- Fix typo in README for IntelliJ by @javiiicp in #1507
- switch to pnpm for frontend by @syjer in #1516
- add browserlist so e2e test continue to work with safari as configured by @syjer in #1517
- Bug: PUT /api/v2/public/event ticket update fails with 422 when additional fields contain null values #1513 - reported by @JanSch92
New Contributors
- @KolossvonRhodos made their first contribution in #1509
- @ALinares3 made their first contribution in #1510
- @javiiicp made their first contribution in #1507
- @wodzen
- @Et43
- @JanSch92
Full Changelog: 2.0-M5-2509-1...2.0-M5-2606