NodeBB

v4.11.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

community forum javascript mongodb nodejs nodebb

+4 more

postgresql redis socket-io websockets

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 13d

Version v4.11.3 adds proper escaping for id, type, activityType, and body fields on the ActivityPub errors page.

Why it matters: Patch to v4.11.3 immediately if you expose the AP errors page; mitigates potential injection risks from unescaped input.

Summary

AI summary

Fixed escaping issues on the AP errors page and related bugs.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Escapes id, type, activityType in ActivityPub errors ACP page Escapes id, type, activityType in ActivityPub errors ACP page Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	Escapes id, type, activityType, body on ActivityPub errors page Escapes id, type, activityType, body on ActivityPub errors page Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes off-by-some error on getUsersFields function Fixes off-by-some error on getUsersFields function Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Uses configured forum URL for shared links Uses configured forum URL for shared links Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Hides current category from move topic selector Hides current category from move topic selector Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Privileged users bypass self-edit reputation checks Privileged users bypass self-edit reputation checks Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Skips actor resolution when federation disabled Skips actor resolution when federation disabled Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Handles before cursor for upward infinite scroll Handles before cursor for upward infinite scroll Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Removes msapplication-badge metadata tag Removes msapplication-badge metadata tag Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Release build (patch) of NodeBB @ 2026-05-13T21:21:49.054Z

v4.11.3 (2026-05-13)

Bug Fixes

add escaping to id/type/activityType in AP/errors ACP page to guard against improper user data (e95f5bcb)
escape id, type, activityType, body on AP errors page (16bda6b9)
#14250 (40b94149)
#14208, off-by-some error on getUsersFields (54df63c4)
use configured forum URL for shared links (#14226) (bd4b34a5)
hide current category from move topic selector (#14228) (bbdf05d6)
remove msapplication-badge (00d3c873)
bypass self-edit reputation checks for privileged users (#14214) (164a3d49)
activitypub:
- skip actor resolution when federation is disabled (a729d0a4)
- handle before cursor for upward infinite scroll navigation (0c6988c7)

Other Changes

//github.com/NodeBB/NodeBB/issues/14250 (270e5e8f)

Security Fixes

Added escaping for id, type, activityType, and body on the AP errors page to prevent improper user data injection.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track NodeBB

Get notified when new releases ship.

About NodeBB

Node.js based forum software built for the modern web

All releases →