🔒 Security
- Fix credential exfiltration via SSRF in config-test endpoints (GHSA-ph98-5xm3-37w3): The
POST /test-seerr,/seerr/quality-profiles,/seerr/servers, andPOST /jellyfin-librariesendpoints would forward the real stored API key to any URL supplied by an authenticated user. The real key is now only substituted when the submitted URL's host matches the currently configured server host — if they differ, the request is rejected with 403. Thanks to @whoopsi-daisy for the responsible disclosure.
AI-assisted documentation. Code logic manually verified.