This release includes 3 security fixes for security teams reviewing exposed deployments.
Affected surfaces
ReleasePort's take
Light signalPicoshare 1.5.2 hardens file uploads, guest access, and ID generation with three security patches. Operators hosting shared files or guest uploads should test and deploy this update.
Why it matters: Three security fixes: sandboxing file responses against malicious JavaScript, rejecting inactive guest uploads, and using cryptographic randomness for IDs. Test in dev before production deployment.
Summary
AI summarySandbox uploaded file responses to prevent malicious JavaScript execution.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Sandbox uploaded file responses to prevent malicious JavaScript execution. Sandbox uploaded file responses to prevent malicious JavaScript execution. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Return early after rejecting inactive guest uploads to prevent unauthorized access. Return early after rejecting inactive guest uploads to prevent unauthorized access. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Security | Medium |
Use crypt/rand instead of math/rand to reduce random ID predictability. Use crypt/rand instead of math/rand to reduce random ID predictability. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Replace Bulma with Bootstrap5 for UI framework upgrade. Replace Bulma with Bootstrap5 for UI framework upgrade. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Replace modd with air for local development tooling. Replace modd with air for local development tooling. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Feature | Medium |
Add PS_SHARED_SECRET_FILE support for Docker Secrets integration. Add PS_SHARED_SECRET_FILE support for Docker Secrets integration. Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Mark first contributions for @gene1wood and @roxy5201314. Mark first contributions for @gene1wood and @roxy5201314. Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
Security fixes
- Sandbox uploaded file responses by @roxy5201314 in https://github.com/mtlynch/picoshare/pull/760
- Prevents a scenario where a malicious user with access to a guest upload link uploads malicious JavaScript and tricks the instance owner into viewing it.
- Return early after rejecting inactive guest uploads by @roxy5201314 in https://github.com/mtlynch/picoshare/pull/761
- Prevents users from uploading to inactive guest links
- Use crypt/rand instead of math/rand by @mtlynch in https://github.com/mtlynch/picoshare/pull/733
- Reduces the likelihood of predicting random IDs
Improvements
- Replace bulma with bootstrap5 by @mtlynch in https://github.com/mtlynch/picoshare/pull/718
- Replace modd with air for local development by @mtlynch in https://github.com/mtlynch/picoshare/pull/736
- Add PS_SHARED_SECRET_FILE support for Docker Secrets by @gene1wood in https://github.com/mtlynch/picoshare/pull/750
New Contributors
- @gene1wood made their first contribution in https://github.com/mtlynch/picoshare/pull/750
- @roxy5201314 made their first contribution in https://github.com/mtlynch/picoshare/pull/761
Full Changelog: https://github.com/mtlynch/picoshare/compare/1.5.1...1.5.2
Security Fixes
- Sandbox uploaded file responses to prevent malicious JavaScript execution via guest upload links
- Return early after rejecting inactive guest uploads to block unauthorized uploads
- Use crypt/rand instead of math/rand to reduce predictability of random IDs
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About picoshare
A minimalist, easy-to-host service for sharing images and other files
Related context
Related tools
Beta — feedback welcome: [email protected]