Fixed
- CVE-2025-68954
- CVE-2025-69197
- CVE-2025-69198
- Fixes a self-XSS issue when entering random data into boxes while creating a new database host.
- Fixes missing
HttpForbiddenExceptionimport in the backup status controller. - Fixes issue where scheduled tasks would execute every minute regardless of their configured cron syntax.
- Pressing
Ctrl+Zto undo while editing a file no longer deletes the initial file content. - Fixed incorrect error message being returned when attempting to delete your own account as an admin.
- Fixes node description not being settable via the API.
- Fixes 0-bytes files returning an error when attempting to upload.
- Fixes nodes displaying the first available location even when that field was not edited and the node has a different value set.
- Fixes allocation notes not being reset when a server is deleted. (#5157)
Changed
- Minimum NodeJS version updated to 22 for building.
- Updated all JS and PHP dependencies to their latest versions (where feasible).
- The endpoint for disabling 2FA on an account using the client API changed from
DELETE /api/client/account/two-factortoPOST /api/client/account/two-factor/disable ^Cin an egg's stop configuration no longer rewrites itself into the default stop configuration.IBM Plex Sansfont is now bundled with the local assets instead of loading from Google CDNs.- Upload size on nodes is no longer restricted to a max of 1024MB, any positive integer value can be used.
- Administrators are now listed first when viewing a list of all users on the system.
- Websocket no longer endlessly polls when connection issues are encountered, or when Wings disconnects the user for a reason that should not be re-attempted.