Released on Juily 17, 2025.
- Fixed an HTML injection vulnerability where form elements, scripts, and other potentially dangerous HTML tags in federated posts were not properly sanitized before rendering. This could allow malicious actors to inject forms for phishing, execute JavaScript, or perform CSRF attacks. The fix implements strict HTML sanitization using an allowlist approach to ensure only safe HTML elements and attributes are rendered. [CVE-2025-53941]