Skip to content

Pluton

vpluton-v0.5.0 scope: pluton Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3mo Backup & Recovery
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

3-2-1-backup backup restic self-hosted

Affected surfaces

auth rce_ssrf

Summary

AI summary

Updates Bug Fixes, 0.5.0, and Code Refactoring across a mixed release.

Full changelog

0.5.0 (2026-02-21)

Features

  • adds password hashing for harden security (fed43a2)
  • adds password reset mechanism (780ced1)

Bug Fixes

  • broken ALLOW_FILE_BROWSER config (ca01522)
  • missing content security policy (bbb1f2d)
  • Missing device update input validation (bb9b40a)
  • missing security headers (6e5b153)
  • resolves broken global restic and rclone settings. (42d84c0)
  • resolves malicious command execution vulnerability (2e0fb5f)
  • resolves rate limiting issue in the frontend (efd1af0)
  • various security issues. (9d96362)

Code Refactoring

  • request singing method of agent/server communication (e7ed295)

Security Fixes

  • Resolves malicious command execution vulnerability
  • Fixes missing content security policy, device update input validation, and missing security headers
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Pluton

Get notified when new releases ship.

Sign up free

About Pluton

Secure backups across local and cloud storage

All releases →

Related context

Beta — feedback welcome: [email protected]