This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
ReleasePort's take
Light signalThe release hardens database checks using prepared statements and mitigates X‑Forwarded‑* header injection risks.
Why it matters: Patch to version 11.12.1 immediately; the fix prevents SQL injection via untrusted forwarded headers, a critical security risk.
Summary
AI summaryHardened DB checks with prepared statements and fixed X-Forwarded-* header injection.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Only trust X-Forwarded-* headers from local/LAN proxies. Only trust X-Forwarded-* headers from local/LAN proxies. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Added JSON systeminfo endpoint. Added JSON systeminfo endpoint. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Option to disable rate limiting for local testing. Option to disable rate limiting for local testing. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixed log escapeshell issue. Fixed log escapeshell issue. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Removed escapeshell from logfile. Removed escapeshell from logfile. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fixed Redis error. Fixed Redis error. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Refactor | Medium |
Modularised serial, update, and components. Modularised serial, update, and components. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Refactor | Medium |
Require_once added on remember me module. Require_once added on remember me module. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
- Merge pull request #1987 from emoncms/fix/trusted-proxy-host-header-injection
- fix log escapeshell issue
- remove escapeshell from logfile
- fix redis error
- update version (modular admin)
- minor fixes
- include local changes tag
- fix core info
- fix access to directories
- use components directly for core as well
- clean up camel case
- consistent model names
- re-organise
- log model, clean up
- fix routes
- clean up
- seperate services class
- extended sysinfo to match original
- second system info class test
- latest sys info
- refactor system info method
- refinements
- fix translations
- refactored admin info view
- json systeminfo end point
- remove serial monitor, serial cofig ui is sufficient
- move view calls to relevant sections
- modularise serial
- modularise update and components
- component model
- remove post body http method over-ride option and add comment cors preflight for reference
- avoid filepath variable override in view()
- harden db_check with prepared statement
- fix: only trust X-Forwarded-* headers from local/LAN proxies
- remember me module tests
- update version
- readme for tests
- remove old tests, replace with php user model tests as a POC
- option to disable rate limiting for local testing
- require_once on remember me
Breaking Changes
- Removed POST body HTTP method override option.
Security Fixes
- Fixed X-Forwarded-* header injection by trusting only local/LAN proxies (CVE not specified).
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About emoncms
Web-app for processing, logging and visualising energy, temperature and other environmental data
Related context
Related tools
Beta — feedback welcome: [email protected]