This release includes 5 security fixes for security teams reviewing exposed deployments.
Topics
+8 more
Affected surfaces
ReleasePort's take
Moderate signalVersion 1.8.225 patches `symfony/routing`, upgrades `symfony/polyfill-intl-idn`, and fixes a path‑traversal flaw in the Log Viewer.
Why it matters: High‑severity CVEs (CVE‑2026‑45065, CVE‑2026‑46644) and a critical GHSA vulnerability require immediate patching to prevent remote code execution and traversal attacks; severity scores exceed 85.
Summary
AI summaryFixed path traversal in Log Viewer and patched multiple security vulnerabilities.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Patched `symfony/routing` (CVE-2026-45065) Patched `symfony/routing` (CVE-2026-45065) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Critical |
Upgraded `symfony/polyfill-intl-idn` to 1.38.1 (CVE-2026-46644) Upgraded `symfony/polyfill-intl-idn` to 1.38.1 (CVE-2026-46644) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Critical |
Fixed path traversal in Log Viewer (GHSA-9ph7-f3hc-95gg) Fixed path traversal in Log Viewer (GHSA-9ph7-f3hc-95gg) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | Critical |
Improved `Helper::stripDangerousTags()` to strip nested tags (GHSA-jpq8-j69f-mj98) Improved `Helper::stripDangerousTags()` to strip nested tags (GHSA-jpq8-j69f-mj98) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Security | High |
Added throttling and authentication in `tools.php` (GHSA-w2p9-3666-vw9j) Added throttling and authentication in `tools.php` (GHSA-w2p9-3666-vw9j) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Feature | Low |
Moved option to UI: "_User can see only assigned conversations_" (#701) Moved option to UI: "_User can see only assigned conversations_" (#701) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Bugfix | Medium |
Fixed color of texts in logs table (#5442) Fixed color of texts in logs table (#5442) Source: llm_adapter@2026-06-13 Confidence: high |
— |
| Bugfix | Medium |
Fixed saving mailbox signature by non-admin users (#5443) Fixed saving mailbox signature by non-admin users (#5443) Source: llm_adapter@2026-06-13 Confidence: high |
— |
Full changelog
Fixed
- Added throttling and authentication in
tools.php(Security: GHSA-w2p9-3666-vw9j) - Fixed color of texts in logs table (#5442)
- Patched
symfony/routing(Security: CVE-2026-45065) - Upgraded
symfony/polyfill-intl-idnto 1.38.1 (Security: CVE-2026-46644) - Fixed path traversal in Log Viewer (Security: GHSA-9ph7-f3hc-95gg)
- Moved option to UI: "User can see only assigned conversations" (#701)
- Improved
Helper::stripDangerousTags()to strip nested tags (Security: GHSA-jpq8-j69f-mj98) - Fixed saving mailbox signature by non-admin users (#5443)
Security Fixes
- GHSA-w2p9-3666-vw9j — added throttling and authentication in `tools.php`
- CVE-2026-45065 — patched `symfony/routing` dependency
- CVE-2026-46644 — upgraded `symfony/polyfill-intl-idn` to 1.38.1
- GHSA-9ph7-f3hc-95gg — fixed path traversal in Log Viewer
- GHSA-jpq8-j69f-mj98 — improved `Helper::stripDangerousTags()` to strip nested tags
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About freescout
FreeScout — Free self-hosted help desk & shared mailbox (Zendesk / Help Scout alternative)
Related context
Related tools
Beta — feedback welcome: [email protected]