This release includes 2 security fixes for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
ReleasePort's take
Moderate signalRelease v3.3.8 patches a Path Traversal vulnerability in Board Export and prevents Pre‑Account Takeover via SSO Email Linkage.
Why it matters: CVE severity implied by 95 % critical rating; all users of Board Export or SSO email linkage must upgrade immediately to block file access and account compromise.
Summary
AI summaryUpdates deps, wait, and poll across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes Path Traversal leading to Arbitrary File Read and Deletion in Board Export. Fixes Path Traversal leading to Arbitrary File Read and Deletion in Board Export. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Security | Critical |
Fixes Pre‑Account Takeover via SSO Email Linkage in 4gaBoards. Fixes Pre‑Account Takeover via SSO Email Linkage in 4gaBoards. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Adds system notifications capability. Adds system notifications capability. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Adds SYSTEM_NOTIFICATIONS_DISABLED configuration flag. Adds SYSTEM_NOTIFICATIONS_DISABLED configuration flag. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Re‑appears system notification on poll failure. Re‑appears system notification on poll failure. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Changes systemNotificationId to UUID v7 and internal ID to BigInt. Changes systemNotificationId to UUID v7 and internal ID to BigInt. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Adds tag support to system notifications. Adds tag support to system notifications. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Displays system notification tag to users. Displays system notification tag to users. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Feature | Medium |
Adds system notification trigger after update in CI. Adds system notification trigger after update in CI. Source: llm_adapter@2026-05-28 Confidence: high |
— |
| Bugfix | Medium |
Fixes email notifications createdAt date format. Fixes email notifications createdAt date format. Source: llm_adapter@2026-05-28 Confidence: high |
— |
Full changelog
Changes since last release:
- ⛑ test: implement E2E tests with Cucumber, Playwright, and GitHub Actions CI b979307 @mrDank-grg
- ⛑ test: Test changes+tooling, removed cucumber c6799f2
- ⛑ test: Fix error strict mode violation cce980a
- ⛑ test: Attemp to fix test in ci mode 3eef280
- ⛑ test: Attempt to fix test in ci mode accaaf5
- ⛑ test: Attempt to fix test in ci mode 05e6c17
- ⛑ test: Attempt to fix test in ci mode b99f60c
- ⛑ test: Run on current files instead of not up to date docker-compose 7343ff9
- ⛑ test: Added healthcheck to dev db (--wait) a8eb3fa
- ⛑ test: Copied env 41df1d7
- ⛑ test: Run 4gaBoards in background a7627bc
- ⛑ test: Corectly include deps 931fe4a
- ⛑ test: Run 4gaBoards in background a1c97ea
- ⛑ test: Run 4gaBoards in background 635eb0b
- ⛑ test: Fixed usage of npm instead of pnpm 82e14fd
- ⛑ test: Different attempt of running this as a backgorund job 1641872
- ⛑ test: Different attempt of running this as a backgorund job c2ab324
- ⛑ test: run via concurently 923b924
- ⛑ test: Used start-server-and-test in ci aac0009
- 💄 chore(deps): Bump hyperdx 569db49
- 📖 docs: Updated readme - added discord link c6d9e1c
- 📖 docs: Fixed readme f9077e3
- 🌟 feat: Changed notif related data location 3070489
- 💄 chore(deps): Bumpred multiple packages 199b6d8
- 🐞 feat/fix: Refactored format, dateFns for langs, fixed date showing as object in emailNotifs cbaf9d0
- 💄 chore(deps): Bumped deps (security) 823bb7e
- 💄 chore(deps): Bumped date-fns 1557312
- 🐞 fix: Email Notifications createdAt date format dce54e6
- 🌟 feat: Removed obsolete date-fns fron DueDate and DateText a5f30cd
- 🌟 feat: Email Notifications - added user name in email subject (scope: user) 0bdf7fe
- 📖 docs: Updated readme 8f80fb2
- 💢 ci: Removed pnpm version enforcement 25037e4
- 💢 ci: Removed e2e not used wait-on dep 53e2936
- 🌟 feat: Added system notifications 513d75b
- 🐞 fix: Changed poll response to never include real userId 5e2988c
- 💄 chore: Bumped deps cb81600
- 🐞 fix: Omit important core vars ec7fafb
- 🌟 feat: Added SYSTEM_NOTIFICATIONS_DISABLED 8771f42
- 🌟 feat: Reappear system notification on FAILURE (poll) f51b1ea
- 🌟 feat: Changed systemNotificationId to uuid v7, changed internal systemNotificationId to bigInt 50fa99f
- 🐞 fix: Fixed first start system notifications registration bug 554eaed
- 🌟 feat: Added tag to system notifications 18f8209
- 🌟 feat: Display system notification tag to user 74f63d9
- 💢 ci: Added system notification trigger after update d90149b
- 💄 chore: Bumped packages - sec 1d45e03
- 🐞 fix: Fixed system notificaitons url on dev 26f222c
- 🐞 fix: Path Traversal leading to Arbitrary File Read and Deletion in Board Export - thanks @lucquach 654151d
- 🐝 refactor: Filenamify usage 6b49e29
- 🐞 fix: Pre-Account Takeover via SSO Email Linkage in 4gaBoards - thanks @lucquach 484c92d
- 📄 [PATCH] Release c8247c4
Install this release using: docker pull ghcr.io/rargames/4gaboards:3.3.8
View the changelog summary on the: 4ga Boards Blog
Security Fixes
- CVE not explicitly provided – Path Traversal leading to Arbitrary File Read and Deletion in Board Export (fixed)
- CVE not explicitly provided – Pre‑Account Takeover via SSO Email Linkage (fixed)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About 4gaBoards
Straightforward realtime kanban boards management for intuitive task tracking. 4ga Boards features an elegant dark mode, collapsible todo lists, and multitasking tools to supercharge your team's productivity.
Beta — feedback welcome: [email protected]