This release fixes two security issues. We recommend upgrading as soon as possible.
Security Fixes
- CVE-2020-26286: Arbitrary file upload
An unauthenticated attacker can upload arbitrary files to the upload storage backend. - CVE-2020-26287: Stored XSS in mermaid diagrams
An attacker can inject arbitrary script tags in HedgeDoc notes using mermaid diagrams.