news

v28.5.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 14h Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

atom-feed feed feed-reader news nextcloud nextcloud-news

+2 more

rss rss-reader

Affected surfaces

rce_ssrf

Summary

AI summary

Updates 📦 Dependency Updates, deps, and deps-dev across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Fixes a gap in SSRF protection when remote host redirects to local address. Fixes a gap in SSRF protection when remote host redirects to local address. Source: llm_adapter@2026-06-03 Confidence: low	—
Dependency	Low	Bump guzzlehttp/psr7 from 2.9.0 to 2.10.2. Bump guzzlehttp/psr7 from 2.9.0 to 2.10.2. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Fix npm audit issues. Fix npm audit issues. Source: llm_adapter@2026-06-03 Confidence: low	—
Bugfix	Low	Corrects missing on_redirect handling in FetcherConfig. Corrects missing on_redirect handling in FetcherConfig. Source: granite4.1:30b@2026-06-03-audit Confidence: high	—

Full changelog

Security

Update recommended: This version fixes a gap in the SSRF protection that occurs when the remote host redirects to a local address.

What's Changed

🐛 Fixed

Fix on_redirect handling missing in the FetcherConfig by @Grotax in https://github.com/nextcloud/news/pull/3773

📦 Dependency Updates

[master] Fix npm audit by @nextcloud-command in https://github.com/nextcloud/news/pull/3754
build(deps): Bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3755
build(deps): Bump codecov/codecov-action from 6.0.0 to 6.0.1 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3759
build(deps): Bump crate-ci/typos from 1.46.1 to 1.46.2 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3758
build(deps): Bump errata-ai/vale-action from 2.1.1 to 2.1.2 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3756
build(deps-dev): Bump @types/node from 25.8.0 to 25.9.0 in the types group by @dependabot[bot] in https://github.com/nextcloud/news/pull/3757
build(deps): Bump R0Wi/nextcloud-appstore-push-action from 1.0.4 to 1.0.5 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3761
build(deps-dev): Bump @types/node from 25.9.0 to 25.9.1 in the types group by @dependabot[bot] in https://github.com/nextcloud/news/pull/3762
build(deps): Bump guzzlehttp/psr7 from 2.9.0 to 2.10.1 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3763
build(deps): Bump @nextcloud/dialogs from 7.3.0 to 7.4.0 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3765
build(deps-dev): Bump the vite group with 2 updates by @dependabot[bot] in https://github.com/nextcloud/news/pull/3764
[master] Fix npm audit by @nextcloud-command in https://github.com/nextcloud/news/pull/3767
build(deps): Bump guzzlehttp/psr7 from 2.10.1 to 2.10.2 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3770
build(deps): Bump crate-ci/typos from 1.46.2 to 1.46.3 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3771
build(deps): Bump symfony/cache from 7.4.9 to 7.4.12 by @dependabot[bot] in https://github.com/nextcloud/news/pull/3766

Full Changelog: https://github.com/nextcloud/news/compare/28.4.1...28.5.0

Security Fixes

Fix on_redirect handling missing in the FetcherConfig — closes SSRF protection gap when remote host redirects to a local address.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track news

Get notified when new releases ship.

About news

RSS/Atom feed reader

All releases →

Related context

Related tools

Earlier breaking changes

v28.4.0 NcCheckBoxRadioSwitch component requires value property as string