github ulsklyc/oikos v0.5.9
v0.5.9 - Security Audit Fixes
on GitHub

latest releases: v0.52.57, v0.52.56, v0.52.55...
one month ago

Security

This release addresses findings from a whitebox + blackbox security audit (2026-04-03).

Fixed (Critical)

  • Stored XSS in task titles and subtask titles - all user-provided text in tasks.js is now escaped via escHtml() before innerHTML insertion
  • Stored XSS in settings member list - display_name and username are now escaped in memberHtml()
  • Rate limiter bypass via X-Forwarded-For spoofing - trust proxy defaults to loopback; configurable via TRUST_PROXY env var

Fixed (High)

  • Google OAuth CSRF - cryptographic state parameter added and validated on callback
  • CSV injection in budget export - formula-starting fields are now prefixed with apostrophe
  • Missing session invalidation on user deletion - all active sessions of deleted users are destroyed
  • Username validation - restricted to [a-zA-Z0-9._-], minimum 3 characters
  • Calendar sync endpoints - POST /google/sync and POST /apple/sync now require admin role
  • Apple CalDAV credentials - warning logged when stored without DB encryption

Not Fixed (By Design)

  • IDOR / shared access - Oikos is a family planner where all members intentionally share read/write access to all data (documented in SECURITY.md since v0.5.3)
Check out latest releases or
releases around ulsklyc/oikos v0.5.9

Don't miss a new oikos release

NewReleases is sending notifications on new releases.

Get notifications