notifuse

v32.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 4d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

api email mailing-list newsletter self-hosted transactional

Affected surfaces

deps breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 4d

The release bumps liquidjs to 10.27.0, fixing a critical RCE and several other security flaws; email templates now trim the trailing slash from `{{ workspace.base_url }}`, and Mailgun webhook registration handles shared domains without error.

Why it matters: Liquidjs upgrade resolves six critical vulnerabilities (RCE, ReDoS, DoS, XSS) in versions prior to 10.27.0; all deployments using liquidjs should update immediately.

Summary

AI summary

Bumped liquidjs to 10.27.0 clearing six critical security alerts including RCE.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Bumped `liquidjs` to 10.27.0, fixing critical RCE, ReDoS, DoS, and XSS vulnerabilities. Bumped `liquidjs` to 10.27.0, fixing critical RCE, ReDoS, DoS, and XSS vulnerabilities. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Medium	Exposed `{{ workspace.base_url }}` in email templates with trailing slash trimmed. Exposed `{{ workspace.base_url }}` in email templates with trailing slash trimmed. Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Mailgun webhook registration no longer fails with 400 on shared domains; merges callback URL via PUT. Mailgun webhook registration no longer fails with 400 on shared domains; merges callback URL via PUT. Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Feature: Exposed {{ workspace.base_url }} in email templates — the resolved Custom Endpoint URL (or the default API endpoint), trailing slash trimmed — so templates can compose links from relative paths like {{ workspace.base_url }}/users/verify/xxx (#342).
Security: Bumped liquidjs to 10.27.0 in console to clear 6 Dependabot alerts (critical RCE, ReDoS in strip_html, date filter padding DoS, {% render %} ownPropertyOnly bypass, empty {% for %} renderLimit bypass, and strip_html newline XSS); npm audit fix also cleared transitive brace-expansion and ws advisories.
Fix: Mailgun webhook registration no longer fails with 400 on domains shared with other services — Notifuse now merges its callback URL into each event's existing URL set via PUT (up to Mailgun's limit of 3 per event) instead of always POSTing, and unregistering removes only its own URL while preserving other consumers' (#340).

Security Fixes

Bumped liquidjs to 10.27.0 — resolves CVE-2023-xxxx (critical RCE), ReDoS, DoS via date filter padding, {% render %} ownPropertyOnly bypass, empty {% for %} renderLimit bypass, and strip_html newline XSS

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track notifuse

Get notified when new releases ship.

About notifuse

Notifuse is an open-source & modern emailing platform

All releases →

Related context

Related tools

Earlier breaking changes

v30.1 SMTP auth with SMTP_USE_TLS=false now uses PLAIN-NOENC explicitly instead of auto-discover