🔒 Security
Fixes a cross-tenant media metadata disclosure in the Curator picker search. In multitenant panels, an authenticated user could retrieve other tenants' media metadata by typing in the picker search box. Single-tenant installs are not affected.
- Severity: Medium (CVSS 5.0 —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) - CWE: CWE-284 (Improper Access Control)
Upgrade recommended for any multitenant deployment. Also fixed in 3.7.8 and 4.1.1. A GitHub Security Advisory and CVE will be linked here once published.
What's Changed
- Test against Laravel 12 and 13 in CI by @awcodes in #712
- Fix uppercase file extensions not rendering thumbnails by @awcodes in #711
- Gate bulk upload behind the create policy by @awcodes in #713
Full Changelog: v5.1.0...v5.1.1