Release Notes - v0.9.3-alpha

A security patch that updates the bundled FFmpeg and changes where Speakr sources it.

Security

• Patches CVE-2026-8461 ("PixelSmash"). Speakr runs ffprobe and ffmpeg on uploaded media for codec detection, conversion, and audio extraction. The FFmpeg that earlier images bundled (johnvansickle static 7.0.2) contained a heap out-of-bounds write in the MagicYUV decoder that a crafted media file could use to crash the worker or, in some cases, achieve remote code execution. The flaw is fixed in FFmpeg 8.1.2. Because the johnvansickle static builds have been frozen at 7.0.2 since 2024, the Docker image now sources FFmpeg from the actively maintained BtbN/FFmpeg-Builds project, pinned to the 8.1 release branch (currently 8.1.2). Multi-user instances that accept uploads from untrusted users were the most exposed.

Compatibility

No configuration or data changes. Upgrade by pulling the new image with docker compose pull && docker compose up -d. This upgrade is recommended for all deployments, and especially for any instance that accepts uploads from users you do not fully trust.