photoprism

v260601-a7d098548 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ai go google-photos machine-learning photography private-cloud

+2 more

self-hosted tensorflow

Affected surfaces

auth deps

ReleasePort's take

Moderate signal

editorial:auto 2d

The release removes the vulnerable Pebble binary from Ubuntu base images (CVE‑2026‑39821) and upgrades libheif to v1.22.2, fixing 17 CVEs.

Why it matters: Addresses critical security flaws: removal of a high‑severity CVE in base images (severity 90) and resolves 17 CVEs via libheif upgrade (severity 85).

Summary

AI summary

Updates What's new?, Videos, and Index across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Removed Pebble binary from Ubuntu base images (CVE-2026-39821) Removed Pebble binary from Ubuntu base images (CVE-2026-39821) Source: llm_adapter@2026-06-01 Confidence: high	—
Security	High	Upgraded libheif from v1.21.2 to v1.22.2, fixing 17 CVEs Upgraded libheif from v1.21.2 to v1.22.2, fixing 17 CVEs Source: llm_adapter@2026-06-01 Confidence: high	—
Security	High	Reinforced user profile endpoint authorization checks Reinforced user profile endpoint authorization checks Source: llm_adapter@2026-06-01 Confidence: high	—
Feature
Feature	Medium	Added option to exclude formats from FFmpeg processing Added option to exclude formats from FFmpeg processing Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	PNG thumbnails exported without ICC profile if libpng rejects it PNG thumbnails exported without ICC profile if libpng rejects it Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Optional free disk space threshold prevents storage from filling up during indexing, importing, and uploading Optional free disk space threshold prevents storage from filling up during indexing, importing, and uploading Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Improved hardware transcoding setup and documentation for videos Improved hardware transcoding setup and documentation for videos Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix
Bugfix	Medium	Fixed recovery of hidden stacks whose primary image was replaced Fixed recovery of hidden stacks whose primary image was replaced Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fixed VAAPI transcoding compatibility with FFmpeg 8 Fixed VAAPI transcoding compatibility with FFmpeg 8 Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fixed recurring deletion and re-creation of folder albums Fixed recurring deletion and re-creation of folder albums Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

This service release includes important security and reliability updates. As an additional safety measure, indexing, importing, and uploading can be disabled when free disk space falls below a configurable threshold to prevent storage volumes from filling up. A special thank you to everyone who reported bugs and helped us test the changes! ️🔒🔧

What's new?

Index: Optional free disk space threshold prevents storage from filling up
Index: Fixed recovery of hidden stacks whose primary image was replaced
Videos: Improved hardware transcoding setup and documentation
Videos: Fixed VAAPI transcoding for compatibility with FFmpeg 8
Videos: Added an option to exclude formats from FFmpeg processing
Thumbs: PNGs are exported without an ICC profile if libpng rejects it
Folders: Fixed recurring deletion and re-creation of folder albums
Security: Reinforced user profile endpoint authorization checks by @geo-chen
Security: Removed Pebble binary from Ubuntu base images (CVE-2026-39821)
Security: Upgraded libheif from v1.21.2 to v1.22.2 (17 CVE fixes)

Translations

Missing user interface translations have been generated with the help of DeepL and Google Translate. Native speakers are welcome to help us improve them where needed. Learn more ›

Installation Packages

The packages attached to this release are intended for experienced users and maintainers of third-party integrations only, as they require manual configuration and do not include tested system dependencies. Since we are unable to provide support for custom installations, we recommend using one of our Docker images to run PhotoPrism on a private server or NAS device. Learn more ›

Security Fixes

Removed Pebble binary from Ubuntu base images (CVE-2026-39821)
Upgraded libheif from v1.21.2 to v1.22.2, fixing 17 CVEs

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track photoprism

Get notified when new releases ship.

About photoprism

AI-Powered Photos App for the Decentralized Web

All releases →

Related context

Related tools

Related CVEs

CVE-2026-39821 NVD KEV EPSS

Earlier breaking changes

v260523-0544f71c1 Dropped legacy Pigo detector in favor of ONNX-based face recognition.