See the UPGRADE.md for all important technical changes.
- GHSA-gv8p-48fr-4fxg - Privilege Escalation via Sync API Integration Admin Flag Bypass
- GHSA-8v9p-g828-v98f - Admin Account Takeover via User Recovery Hash Exposure
- GHSA-7w52-7jvm-m9vw - Timing-attack on admin panel allowing enumeration of administrator usernames
- GHSA-v39m-97p8-gqg7 - Privilege escalation: non-admin user with user:create ACL can create admin accounts
- GHSA-f8q6-3g5w-jjr6 - Admin API ACL Bypass in Order State Transition Endpoints
- GHSA-9v5m-39wh-5chq - Unauthorized Payment Trigger for Foreign Orders via /store-api/handle-payment
- GHSA-xvhc-gm7j-mhmc - Stored XSS via SVG file upload - no SVG sanitization