First release draining the upstream PR backlog. Drop-in for crocodilestick/calibre-web-automated:latest — same compose, swap image to ghcr.io/new-usemame/calibre-web-nextgen:v4.0.7 (or :latest), restart container.
Backports (upstream → fork)
| Upstream | Fix | Author | Commit |
|---|---|---|---|
| #1096 → closes #1055 | Safari POST /metadata/search includes CSRF token (was silent 400)
| @SethMilliken | 6721638
|
| #1283 → closes #1188 | User-profile fetch() routes through getPath() for reverse-proxy path prefixes
| @chloeroform | a5dd59c
|
| #1322 → closes #1321 | .cbr / .cbz use IANA application/vnd.comicbook-rar / +zip for OPDS
| @Sycha | fc8ba00
|
| #1298 | Docker healthcheck curl -fsL so / → /login 302 doesn't trip Swarm/K8s/Watchtower
| @rancur | 653a516
|
| #1213 | Kobo HandleStateRequest uses .get("Location"), returns last_modified
| @hsttlrjeff | 1fd6c50
|
Security
| Finding | Fix | Source | Commit |
|---|---|---|---|
Kobo IDOR: /kobo_auth/generate_auth_token + /deleteauthtoken accepted arbitrary user_id
| Reject when current_user.id != user_id and not admin
| upstream #1303, no upstream PR | 9f50bb2
|
| 14 CWA routes unauthenticated (cwa_logs, convert_library, epub_fixer) | @login_required_if_no_ano + @admin_required per route
| fork audit | 09bf581
|
cover_enforcer.py shell-injection via os.system(f'cp "{title}" ...')
| shutil.copy / shutil.rmtree
| fork audit | b70fb53
|
Upgrade
services:
calibre-web-automated:
image: ghcr.io/new-usemame/calibre-web-nextgen:v4.0.7docker compose pull && docker compose up -d. No data migration. Same library, settings, users, OAuth, KOReader sync.
Credit
Backports: @SethMilliken, @chloeroform, @Sycha, @rancur, @hsttlrjeff. Upstream foundation: @crocodilestick + CWA contributors. All backported patches mergeable back if upstream review resumes.
Report regressions: https://github.com/new-usemame/Calibre-Web-NextGen/issues