Security
- Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account.
- Fixed an open redirect vulnerability caused by backslashes in relative redirect URLs.
- Fixed a potential SQL injection vulnerability in dynamically generated
ORDER BYclauses. - Hardened metrics endpoint authentication by using constant-time credential comparisons.
Bug Fixes
- Fixed an issue where the stdlib cross-origin protection middleware could block legitimate requests in certain self-hosted environments. The middleware has been reverted.
Improvements
- Added Korean language support.
- Improved HTML truncation performance and reduced memory allocations.
- Optimized feed discovery, subscription detection, date parsing, and tag filtering.
- Simplified and refactored several storage and query-building components for better maintainability.
Dependencies
Updated several dependencies, including:
github.com/go-webauthn/webauthn0.17.4golang.org/x/crypto0.52.0golang.org/x/image0.41.0golang.org/x/net0.55.0
As always, thank you to all contributors who helped improve Miniflux in this release.