Skip to content

Maintainerr

v3.14.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2d Media Servers
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

docker jellyfin maintainerr maintenance movies plex
+6 more
plex-media-server radarr seerr sonarr tv-series tv-shows

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal
editorial:auto 2d

The release adds health‑check endpoints and LOG_LEVEL support while fixing several bugs; it also patches a high‑severity webhook URL validation issue preventing SSRF.

Why it matters: Severity 80 security fix blocks SSRF via unvalidated webhook URLs; developers, SREs, and security engineers must upgrade to mitigate immediate risk.

Summary

AI summary

Updates Breaking Changes, Internal, and Highlights across a mixed release.

Changes in this release

Security High

Fixes webhook agent to validate URL schemes before posting, preventing potential SSRF vulnerabilities

Fixes webhook agent to validate URL schemes before posting, preventing potential SSRF vulnerabilities

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Adds /api/health endpoints for liveness and readiness checks including database health status

Adds /api/health endpoints for liveness and readiness checks including database health status

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Adds support for LOG_LEVEL environment variable to override persisted log settings on startup

Adds support for LOG_LEVEL environment variable to override persisted log settings on startup

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Collection handler now skips media currently being streamed to avoid modifying active content

Collection handler now skips media currently being streamed to avoid modifying active content

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Bugfix Medium

Fixes rule group saving to preserve collection links and visibility on partial updates

Fixes rule group saving to preserve collection links and visibility on partial updates

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Fixes finding manual collections across libraries on Jellyfin/Emby servers

Fixes finding manual collections across libraries on Jellyfin/Emby servers

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Fixes deleted media remaining stuck in Jellyfin/Emby collections causing repeated processing errors

Fixes deleted media remaining stuck in Jellyfin/Emby collections causing repeated processing errors

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Fixes Seerr episode rule requests from incorrectly deleting entire season requests

Fixes Seerr episode rule requests from incorrectly deleting entire season requests

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Fixes Radarr bulk exclusions not being used, preventing duplicate 400 errors

Fixes Radarr bulk exclusions not being used, preventing duplicate 400 errors

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Improves failure notifications for collection handling to include the name of the failing collection

Improves failure notifications for collection handling to include the name of the failing collection

Source: llm_adapter@2026-06-05

Confidence: high
Bugfix Medium

Fixes saving log settings from overriding an active LOG_LEVEL environment variable

Fixes saving log settings from overriding an active LOG_LEVEL environment variable

Source: llm_adapter@2026-06-05

Confidence: low
Full changelog

3.14.0 (2026-06-05)

Highlights

  • Added /api/health endpoints for liveness and readiness checks, including database health status (GET /api/health, GET /api/health/live, GET /api/health/ready) (#3029).
  • Collection handler now skips media currently being streamed to avoid deleting or modifying active content (#3027).
  • Fixed issue where saving log settings would override an active LOG_LEVEL environment variable (#3053).

Breaking Changes

  • None.

Features

  • Added support for LOG_LEVEL environment variable to override persisted log settings on startup (#3030).

Fixes

  • Fixed issue where saving log settings would override an active LOG_LEVEL environment variable (#3053).
  • Fixed webhook agent to validate URL schemes before posting, preventing potential SSRF vulnerabilities (#3031).
  • Fixed rule group saving to preserve collection links and visibility on partial updates (#3045, #3046).
  • Fixed issue with finding manual collections across libraries on Jellyfin/Emby servers (#3042).
  • Fixed issue where deleted media remained stuck in Jellyfin/Emby collections and caused repeated processing errors (#3023, #3024, #3040).
  • Fixed issue where Seerr requests for episode rules incorrectly deleted entire season requests (#3015).
  • Fixed issue where Radarr bulk exclusions were not used, causing duplicate 400 errors (#3012).
  • Improved failure notifications for collection handling to include the name of the failing collection (#3013).

Performance

  • None.

Database migrations

  • None.

Internal

  • Updated README with refreshed features, health endpoint documentation, deployment examples, and credits (#3048).
  • Clarified that yarn command-not-found errors indicate a stale node_modules directory.

Dependencies

  • Updated 20 dependencies, including @typescript-eslint/parser, react-router-dom, axios, and vite.

New Contributors

  • @Arvuno made their first contribution in https://github.com/Maintainerr/Maintainerr/pull/3029

Security Fixes

  • Webhook agent now validates URL schemes before posting, preventing SSRF vulnerabilities (#3031)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Maintainerr

Get notified when new releases ship.

Sign up free

About Maintainerr

Looks and smells like Seerr, does the opposite. A library maintenance tool for Plex and Jellyfin.

All releases →

Related context

Earlier breaking changes

  • v3.13.0 Section without an operator is now treated as OR instead of AND; migration not reversible.
  • v3.13.0 Per-group exclusions now apply only to their own group, not globally.
  • v3.13.0 Exclusions are now either global or per-group; removing a global exclusion requires re-adding per-group ones.
  • v3.12.1 Renames `WATCH_HISTORY_CONCURRENCY` to `RULE_EVALUATION_CONCURRENCY` for clarity.
  • v3.11.0 Overlay reset operations are now gated against concurrent processing runs.

Beta — feedback welcome: [email protected]