Skip to content

emoncms

v11.11.0 Security

This release includes 9 security fixes for security teams reviewing exposed deployments.

Published 26d Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 9 known CVEs

Topics

dashboards emoncms energy-monitor openenergymonitor php sustainability

Summary

AI summary

Security fixes address shell injection, command injection, XSS, open redirect, and enumeration issues.

Full changelog
  • update version
  • changes for consistency with emoncms.org
  • security: fix shell injection, session corruption and unescaped args in admin module
  • centralise exec & passthru calls
  • extract out exec and passthru for ease of reference
  • extract out exec calls for easy reference
  • refactor: get_rpi_info
  • security: harden file upload, redis version check, and service execution
  • security: fix command injection risks in admin module
  • DiD: prepared statement in schedule create
  • DiD: casting and prepared statements for process list mysql timeseries engine methods
  • DiD: use prepared statement
  • defence in depth casts
  • minor fix
  • breakout admin user functionality to AdminUserModel class
  • remove email from email verification link, there is enough security in the key already
  • validate timezone and exit if ip returns empty on ratelimit
  • centralise referrer validation
  • avoid enumeration in password reset
  • tighten apikey validation, remove sql error output
  • remove dead code, catch db write error
  • comments for readability
  • avoid enumeration on login, rate limit change password
  • fix setting of uuid
  • centralise validation, rate limit on login, auth, register, password reset
  • missing auth check on multigraph getlist, would just return empty array but better to have it
  • Fix XSS via Broken Sanitize-then-Store Pattern (Type 9 — Colour)
  • use core.php get fn here
  • fix htmlspecialchars() Misapplied to URL in Logout Flow (Logic Bug)
  • avoid usernam enumeration
  • Fix: Open Redirect / Potential XSS via referrer Parameter
  • upgrade rememberme token to sha256
  • remove logging of remember me cookie, use hash_equals better timing, close stmt
  • belt and braces
  • Merge branch 'master' of github.com:emoncms/emoncms
  • harden get_uuid
  • Merge pull request #1985 from jeremypoulter/allow_redis_host_configure
  • update version
  • fix contains error
  • breakout common serial config code to simplify maintanence
  • Refactor Redis client connection in service-runner to use environment variables for host and port configuration

Full commit diff

Security Fixes

  • Fix shell injection, session corruption and unescaped arguments in admin module (CVE not provided)
  • Harden file upload handling and command execution
  • Fix command injection risks in admin module
  • Prepared statements for schedule creation and MySQL timeseries engine methods to mitigate SQL injection
  • Defence‑in‑depth casts to prevent type‑related vulnerabilities
  • Fix XSS via Broken Sanitize‑then‑Store Pattern (Type 9 – Colour)
  • Correct htmlspecialchars() misuse in logout flow preventing URL XSS
  • Avoid user enumeration on login and password reset
  • Fix Open Redirect / Potential XSS via referrer parameter
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track emoncms

Get notified when new releases ship.

Sign up free

About emoncms

Web-app for processing, logging and visualising energy, temperature and other environmental data

All releases →

Related context

Beta — feedback welcome: [email protected]