Fixed
Copy keybutton in the API key reveal dialog now writes the plaintext key to the clipboard on HTTP installs; the textarea fallback was silently running over an empty selection while the toast claimed success. (#647)
Security
starlettebumped to 1.3.1, clearing thepip-auditand Trivy advisories on its request parsing (CVE-2026-48817, CVE-2026-48818, CVE-2026-54283) that underlies every FastAPI route in Houndarr. (#658)python-multipartbumped to 0.0.32, clearing CVE-2026-53538, CVE-2026-53539, and CVE-2026-53540 in the form and multipart parser behind the login, setup, and instance-settings posts. (#658)cryptographybumped to 49.0.0, clearing GHSA-537c-gmf6-5ccf, a vulnerable OpenSSL build bundled in the wheels; Houndarr links it only through Fernet encryption of stored *arr API keys. (#658)