Skip to content

Plainpad

v1.1.1 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 1mo Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 3 known CVEs

Topics

javascript laravel note-taking php react self-hosted

Summary

AI summary

Fixes privilege escalation and account security vulnerabilities.

Full changelog

Plainpad is a self hosted, open source note taking application that is very easy to setup on your server.

This is a stable release, you can use it in production environments and/or update your existing installations.

https://plainpad.org/

[1.1.1] - 2026-04-23

Fixed

  • Fix privilege-escalation vulnerability allowing any authenticated user to grant themselves admin (#138)
  • Prevent account enumeration and unauthenticated account-lockout abuse on the password recovery endpoint
  • Whitelist sortable columns and sort direction on user and note list endpoints to prevent unsafe ORDER BY input
  • Add form validation rules to the user modal

--

Alex Tselegidis, Plainpad Creator

Go Premium: Custom Dev, Hosting, Support, Rebrand & more →

Security Fixes

  • Privilege escalation vulnerability allowing authenticated users to grant themselves admin
  • Account enumeration and unauthenticated account-lockout abuse on password recovery endpoint
  • Unsafe ORDER BY injection on user and note list endpoints
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Plainpad

Get notified when new releases ship.

Sign up free

About Plainpad

Modern note taking application for the cloud, utilizing the best features of progressive web apps technology.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]