Skip to content

AdGuardHome

v0.107.77 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d Privacy & Ad-blocking
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

adblock adguard dns dns-over-https dns-over-quic dns-over-tls
+3 more
dnscrypt go privacy

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 1d

GLiNET mode's authorization is now protected against path traversal attacks.

Why it matters: CVE-2026-41448, a high‑severity vulnerability (CVSS 9.8), is resolved in v0.107.77; upgrade immediately if using GLiNET mode.

Summary

AI summary

Authorization in GLiNET mode fixed CVE-2026-41448 path traversal vulnerability.

Changes in this release

Security Critical

Authorization in GLiNET mode no longer vulnerable to path traversal attacks.

Authorization in GLiNET mode no longer vulnerable to path traversal attacks.

Source: llm_adapter@2026-06-02

Confidence: high
Feature Low

Adds `reason` query parameter to GET /control/querylog endpoint.

Adds `reason` query parameter to GET /control/querylog endpoint.

Source: llm_adapter@2026-06-02

Confidence: high
Deprecation Low

Deprecates `response_status` query parameter in GET /control/querylog.

Deprecates `response_status` query parameter in GET /control/querylog.

Source: llm_adapter@2026-06-02

Confidence: high
Full changelog

The quality of a product is not defined solely by code or developers’ technical prowess. A strong community—or the lack of one—can often make or break how successful a piece of software will be. We are very lucky to have such a devoted and passionate community around AdGuard Home. This update has once again demonstrated this, as we were able to quickly address a vulnerability reported by one of our community members.

Acknowledgments

A special thanks to @djnnvx for reporting the vulnerability, our community moderators team and to everyone who filed and inspected issues, added translations, and helped us test this release!

Full changelog

See also the v0.107.77 GitHub milestone.

Security

  • Authorization in GLiNET mode is no longer vulnerable to path traversal attacks.

    NOTE: This is CVE-2026-41448. We thank @djnnvx for reporting this security issue.

Added

  • New reason query parameter in GET /control/querylog. See openapi/openapi.yaml for the full description.

Deprecated

  • Query parameter response_status in GET /control/querylog is now deprecated. Use new reason query parameter instead.

Security Fixes

  • CVE-2026-41448 — Authorization in GLiNET mode no longer vulnerable to path traversal attacks
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track AdGuardHome

Get notified when new releases ship.

Sign up free

About AdGuardHome

Network-wide ads & trackers blocking DNS server

All releases →

Related context

Beta — feedback welcome: [email protected]