firefly-iii

v6.6.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 13d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

accounting budget budgeting budgets cash-flow cashflow

+12 more

credit-card docker expenses finance finances financial linux money paycheck personal-finance php php7

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 13d

Firefly III v6.6.3 fixes a stored XSS vulnerability in the audit log view via piggy bank names. Release includes 11 bugfixes for OAuth, exchange rates, reporting, and server errors.

Why it matters: Stored XSS in audit logs, severity 50. Deploy immediately if audit logging is enabled. Piggy bank creation 500 errors resolved; prioritize for user-facing deployments.

Summary

AI summary

Updates https://github.com/orgs/firefly-iii/discussions/11408, https://github.com/orgs/firefly-iii/discussions/11455, and https://github.com/orgs/firefly-iii/discussions/12097 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fix stored XSS in audit log view via piggy bank name (ale.twig) Fix stored XSS in audit log view via piggy bank name (ale.twig) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Feature	Medium	PiggyBanks and suggested amount per month discussion addressed PiggyBanks and suggested amount per month discussion addressed Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	Resolves "Sum" Line In Account Charts issue Resolves "Sum" Line In Account Charts issue Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Fixes Error updating Exchange Rates Fixes Error updating Exchange Rates Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Budget figures in default financial report now include transactions in liability accounts Budget figures in default financial report now include transactions in liability accounts Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Resolved getLatestBalance() argument type issue ($currencyId) Resolved getLatestBalance() argument type issue ($currencyId) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: high	—
Bugfix	Medium	Password validation code explanation improved Password validation code explanation improved Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Audit log entries no longer show changes when none occurred (currency values fields) Audit log entries no longer show changes when none occurred (currency values fields) Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Rule triggers now visible on rules page for rules with multiple triggers Rule triggers now visible on rules page for rules with multiple triggers Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Abacus App functional with new OAuth Abacus App functional with new OAuth Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Personal Access Tokens listed on web UI Personal Access Tokens listed on web UI Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—
Bugfix	Medium	Fixed 500 Internal Server Error when creating piggy bank Fixed 500 Internal Server Error when creating piggy bank Source: granite4.1:8b-q6_K@2026-05-21 Confidence: low	—

Full changelog

Welcome to release v6.6.3 of Firefly III. It contains the latest fixes, translations and features. Docker users can find this release under the latest tag.

Changelog

Changed

Better explanation text for the password validation code.
Discussion 11408 (How do I see the content of link notes?) started by @Coderdude112

Fixed

Discussion 11455 ("Sum" Line In Account Charts) started by @PVTejas
Discussion 12097 (Error updating Exchange Rates) started by @gpampuro
Issue 12204 (A change is shown in "Audit log entries" when there was actually no movement (currency values fields)) reported by @jgmm81
Issue 12207 (Rule triggers hidden on rules page for rules with multiple triggers) reported by @frankakn7
Discussion 12210 (PiggyBanks and suggested amount per month) started by @Thieume
Issue 12223 (Budget figures on the default financial report does not include transactions in liability accounts) reported by @likinon1981
Issue 12243 (Abacus App is not working with the new OAuth) reported by @darkmatter18
Issue 12254 (Personal Access Tokens not listed on web UI) reported by @imjuzcy
Issue 12257 (getLatestBalance(): Argument #2 ($currencyId) must be of type int, string given) reported by @LaCarotteSauvage
Issue 12258 (500 Internal Server Error when creating piggy bank) reported by @davbrito

Security

PR 12271 (Fix stored XSS in audit log view via piggy bank name (ale.twig)) reported by @alanturing881

Installation and upgrade instructions

Please read the installation instructions for Docker, Portainer, Kubernetes or self-managed servers.
Alternatively, read the upgrade instructions for Docker, Kubernetes or self-managed servers

The releases are signed, and you can verify them using the Firefly III releases PGP key.

Develop with Firefly III

Are you interested in (future) API changes to Firefly III, or other interesting dev-related updates? Sign up to the Firefly III developer newsletter to receive low-frequency updates about the development of Firefly III.

Support Firefly III

Did you know you can support the development of Firefly III? You can donate in many ways, like GitHub Sponsors or Patreon. Please follow this link for more information. Thank you for your consideration.

Security Fixes

PR 12271 – Fix stored XSS in audit log view via piggy bank name (ale.twig)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track firefly-iii

Get notified when new releases ship.

About firefly-iii

Firefly III: a personal finances manager

All releases →