qBittorrent

vrelease-5.2.1 scope: release Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

bittorrent bittorrent-client c++ crossplatform torrent torrent-client

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 7d

The release fixes several build and lockfile issues while introducing WEBUI enhancements; it also patches a critical SSRF vulnerability in HTTP handling.

Why it matters: Prevent server‑side request forgery (high severity, severity 95) affecting all installations; address build failures with latest zlib and stale lockfile problems.

Summary

AI summary

Updates glassez, BUGFIX, and WEBUI across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Prevent SSRF via HTTP redirection Prevent SSRF via HTTP redirection Source: llm_adapter@2026-05-27 Confidence: high	—
Feature
Feature	Low	Avoid search downloader for magnet links Avoid search downloader for magnet links Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Work around browser extension interfering with Add Torrent Dialog Work around browser extension interfering with Add Torrent Dialog Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Filter all children of content root in WEBUI Filter all children of content root in WEBUI Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix
Bugfix	Medium	Fix building with latest zlib Fix building with latest zlib Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Remove old-format lockfile on start Remove old-format lockfile on start Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Delete stale lockfile on machine‑id mismatch Delete stale lockfile on machine‑id mismatch Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Fix handling of 'Accept-Encoding' header Fix handling of 'Accept-Encoding' header Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Don't store API result between WEBAPI calls Don't store API result between WEBAPI calls Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Fix RSS refresh loop when no feeds exist Fix RSS refresh loop when no feeds exist Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Low	Avoid proxy interfering with multiprocessing pool in SEARCH Avoid proxy interfering with multiprocessing pool in SEARCH Source: granite4.1:30b@2026-05-27-audit Confidence: low	—

Full changelog

BUGFIX: Fix building with latest zlib (glassez) #24200
BUGFIX: Remove old-format lockfile when starting (glassez) #24218
BUGFIX: Prevent SSRF via HTTP redirection (AlexandrBlishun) #24270
BUGFIX: Delete stale lockfile when machine-id mismatch (glassez) #24285
BUGFIX: Fix handling of 'Accept-Encoding' header (glassez) #24286
WEBUI: Avoid search downloader for magnet links (TurboTheTurtle) #24211
WEBUI: Work around browser extension interfering with Add Torrent Dialog (vafada) #24240
WEBUI: Filter all children of content root (vafada) #24243
WEBAPI: Don't store API result between calls (beryxz) #24262
RSS: Fix refresh is indefinitely called when there are no feeds (glassez) #24199
SEARCH: Avoid proxy interfering with multiprocessing pool (Chocobo1) #24234

Security Fixes

Prevent SSRF via HTTP redirection

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qBittorrent

Get notified when new releases ship.

About qBittorrent

qBittorrent BitTorrent client

All releases →

qBittorrent

ReleasePort's take

Summary

Changes in this release

Security Fixes

Related context

Related tools