Fixes
- Prevented imports from corrupting published
layoutOnLoadActions. (#41737) - Prevented automatic semicolon insertion (ASI) in
wrapCodefrom causing refactoring failures. (#41727) - Removed an extra
nfsfield from thepersistentVolumeobject. (#41724) - Updated BetterBugs recording links to use the new package URLs. (#41667)
- Replaced PAT with
GITHUB_TOKENin thecleanup-dpworkflow. (#41699) - Fixed styling issues with scrollbar select widgets. (#41656)
- Prevented a super user creation race condition. (GHSA-9wcp-79g5-5c3c) (#41681)
- Blocked SSRF via
send-test-emailSMTP host validation. (GHSA-vvxf-f8q9-86gh) (#41666) - Fixed critical CVE-2025-70952. (#41673)
- Upgraded
handlebarsto4.7.9to resolve CVE-2026-33937. (#41672) - Mitigated CVE-2026-22732, where Spring Security HTTP headers were not being written. (#41669)
- Fixed an issue where datasource queries did not fail when the
createdAtfield was missing. (#41665) - Normalized user emails on save to remove invisible Unicode characters. (#41664)
- Enforced ACL permission checks in OAuth2 callback datasource lookup. (GHSA-rg2x-4v4h-g78w) (#41640)
- Validated the filter temp table name before
DROP TABLE. (#41642) - Prevented AQL injection in the ArangoDB plugin caused by unsafe string concatenation. (#41641)
- Expanded the metadata denylist to strengthen SSRF protection. (GHSA-9m89-5jw7-q5cr) (#41643)
- Hardened admin environment value escaping. (#41637)
- Sanitized URLs in ManualUpgrades to prevent reflected XSS. (#41636)
- Enforced edit permissions for application snapshot deletion. (GHSA-g2hc-wmw2-32jr) (#41624)