Anthias

v2026.05.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 6d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

digital-signage iot python raspberry-pi

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 6d

The release fixes CodeQL alerts for path‑injection, URL‑redirection, and stack‑trace exposure while adding a CSRF_TRUSTED_ORIGINS environment variable. It also removes the legacy `srly-ose-redis` container on upgrade.

Why it matters: Addresses high‑severity security vulnerabilities (severity 80 for injection/redirect/exposure fixes) and mandates migration planning due to removal of the legacy Redis container; action required before upgrading.

Summary

AI summary

Broad release touches Other Changes 🔧, deps-dev, Highlights ✨, and ci.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Fixes CodeQL alerts for path‑injection, URL‑redirection, and stack‑trace exposure. Fixes CodeQL alerts for path‑injection, URL‑redirection, and stack‑trace exposure. Source: llm_adapter@2026-05-28 Confidence: high	—
Security	High	Adds CSRF_TRUSTED_ORIGINS env var for host‑rewriting proxies. Adds CSRF_TRUSTED_ORIGINS env var for host‑rewriting proxies. Source: llm_adapter@2026-05-28 Confidence: high	—
Breaking	High	Removes legacy `srly-ose-redis` container on upgrade. Removes legacy `srly-ose-redis` container on upgrade. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature
Feature	Medium	Adds UI‑driven screen rotation for portrait/landscape. Adds UI‑driven screen rotation for portrait/landscape. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds experimental HDMI‑CEC display on/off control. Adds experimental HDMI‑CEC display on/off control. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds per‑board hardware decode dispatch and codec gating on upload. Adds per‑board hardware decode dispatch and codec gating on upload. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds automatic download of remote video URLs into the asset pipeline. Adds automatic download of remote video URLs into the asset pipeline. Source: llm_adapter@2026-05-28 Confidence: high	—
Feature	Medium	Adds Migrate‑to‑Screenly wizard for pushing playlists via v4.1 API. Adds Migrate‑to‑Screenly wizard for pushing playlists via v4.1 API. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes UI asset delete to also remove the on‑disk file. Fixes UI asset delete to also remove the on‑disk file. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes installer to keep dtoverlay and max_framebuffers on separate lines in config.txt. Fixes installer to keep dtoverlay and max_framebuffers on separate lines in config.txt. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

Highlights ✨

Pi 4 / per-board HW decode overhaul — embedded QtMultimedia inside AnthiasWebview, eliminating the two-process DRM contention that caused Pi 4 frame drops; added per-board HW decode dispatch and upload-time codec gating (#2905, #2885)
1 GB SBC enablement — low-RAM degradation gates so 1 GB boards (e.g. 1 GB Rock Pi 4) don't wedge under heavy assets (#2915)
Remote video URLs in the asset pipeline — server auto-downloads remote URLs and pushes them through the normalisation pipeline (#2912)
HDMI-CEC display on/off (experimental) — turn the connected TV on/off via CEC from settings (#2886)
Migrate-to-Screenly wizard — opt-in UI flow that pushes an existing Anthias playlist into Screenly via the v4.1 API (#2876)
Generic arm64 (Armbian) best-effort installer support (#2879)
UI-driven screen rotation — portrait / landscape toggle without editing config.txt (#2882)
x86 video playback under cage — dmabuf-wayland output with VAAPI HW decode (#2861)
Anthias outbound traffic now identifies via a User-Agent (#2897)
Release-flow split: master is testing, tagged releases are stable (#2854)

Security 🔒

CodeQL alert sweep — path-injection, URL-redirection, stack-trace-exposure (#2884)
CSRF: CSRF_TRUSTED_ORIGINS env var for host-rewriting proxies (#2901) + accept same-host Origin regardless of scheme (#2868)

Upgrade Notes 🧭

Existing Pi 5 / mainline-KMS hosts: the upgrader now bind-mounts /dev/cec0 so HDMI-CEC works after upgrade (#2938).
Legacy srly-ose-redis container is removed on upgrade (#2936).

What's Changed

Other Changes 🔧

docs(compat): clean up supported hardware references by @nicomiguelino in https://github.com/Screenly/Anthias/pull/2858
refactor(webview): inline build into viewer image as multi-stage by @vpetersson in https://github.com/Screenly/Anthias/pull/2855
refactor(ci): release flow per #2769 (master = testing, releases = stable) by @vpetersson in https://github.com/Screenly/Anthias/pull/2854
docs(website): link Screenly in footer and add tagline by @vpetersson in https://github.com/Screenly/Anthias/pull/2864
fix(ci): symlink bunx alongside bun in install script by @vpetersson in https://github.com/Screenly/Anthias/pull/2865
chore(deps-dev): bump urllib3 from 2.6.3 to 2.7.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2866
fix(csrf): accept same-host Origin regardless of scheme (#2867) by @vpetersson in https://github.com/Screenly/Anthias/pull/2868
chore(deps): bump github/codeql-action from 4.35.2 to 4.35.4 in the github-actions group across 1 directory by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2860
fix(viewer): x86 video playback under cage (dmabuf-wayland + VAAPI) by @vpetersson in https://github.com/Screenly/Anthias/pull/2861
chore: drop MY_IP env-var IP injection (#2869) by @vpetersson in https://github.com/Screenly/Anthias/pull/2872
fix(splash): cover 4K displays — ship 4K master and upscale-fit by @vpetersson in https://github.com/Screenly/Anthias/pull/2874
fix(api): v1/v1.1 normalize dispatch + stuck-row reconciler (#2870) by @vpetersson in https://github.com/Screenly/Anthias/pull/2873
fix(viewer): skip deleted/deactivated asset immediately by @vpetersson in https://github.com/Screenly/Anthias/pull/2875
refactor(ansible): boot.yml as authoritative templates (incl. silent boot) by @vpetersson in https://github.com/Screenly/Anthias/pull/2810
Fix HDMI audio detection on Pi4 with dual HDMI ports by @vpetersson in https://github.com/Screenly/Anthias/pull/2811
chore(deps): bump Django to 5.2.14 and Pillow to 12.2.0 by @vpetersson in https://github.com/Screenly/Anthias/pull/2877
feat(ui): migrate-to-Screenly wizard with v4.1 API by @vpetersson in https://github.com/Screenly/Anthias/pull/2876
fix(viewer): send Accept-Language from system locale by @vpetersson in https://github.com/Screenly/Anthias/pull/2878
chore(install): replace gum with whiptail by @vpetersson in https://github.com/Screenly/Anthias/pull/2880
fix: e2e-test findings (host-agent venv, celery beat, asset GET 404) by @vpetersson in https://github.com/Screenly/Anthias/pull/2881
fix(security): address open CodeQL alerts (path-injection, url-redirection, stack-trace-exposure) by @vpetersson in https://github.com/Screenly/Anthias/pull/2884
feat(viewer): UI-driven screen rotation for portrait/landscape by @vpetersson in https://github.com/Screenly/Anthias/pull/2882
feat(install): generic-arm64 best-effort support (Armbian SBCs) by @vpetersson in https://github.com/Screenly/Anthias/pull/2879
feat(settings): experimental HDMI-CEC display on/off by @vpetersson in https://github.com/Screenly/Anthias/pull/2886
chore(deps): bump the bun group with 3 updates by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2893
chore(deps-dev): bump ansible-core from 2.19.9 to 2.20.5 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2892
chore(deps-dev): bump pillow-heif from 1.2.1 to 1.3.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2891
chore(deps-dev): bump pytz from 2025.2 to 2026.2 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2890
chore(deps-dev): bump types-pytz from 2026.1.1.20260408 to 2026.2.0.20260506 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2889
chore(deps-dev): bump djangorestframework from 3.16.1 to 3.17.1 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2888
refactor: move webview/ into src/anthias_webview by @vpetersson in https://github.com/Screenly/Anthias/pull/2896
chore(cec): tidy up follow-ups from #2886 by @vpetersson in https://github.com/Screenly/Anthias/pull/2887
feat(tests): marketing screenshot testbed via integration suite by @vpetersson in https://github.com/Screenly/Anthias/pull/2895
chore(ci): replace nick-fields/retry with inline bash loop by @vpetersson in https://github.com/Screenly/Anthias/pull/2898
feat(http): identify Anthias outbound traffic with a User-Agent by @vpetersson in https://github.com/Screenly/Anthias/pull/2897
fix(csrf): CSRF_TRUSTED_ORIGINS env var for host-rewriting proxies by @vpetersson in https://github.com/Screenly/Anthias/pull/2901
feat(website): home-page screenshot slider fed from CI captures by @vpetersson in https://github.com/Screenly/Anthias/pull/2899
feat(website): deep-linkable anchors on FAQ entries by @vpetersson in https://github.com/Screenly/Anthias/pull/2903
feat(viewer,server): per-board HW decode dispatch + codec gate on upload by @vpetersson in https://github.com/Screenly/Anthias/pull/2885
feat(viewer,webview): embed QtMultimedia in AnthiasWebview, eliminate two-process DRM contention + Pi 4 drops by @vpetersson in https://github.com/Screenly/Anthias/pull/2905
fix(api,app): UI asset delete must remove the on-disk file by @vpetersson in https://github.com/Screenly/Anthias/pull/2909
fix(installer): keep dtoverlay and max_framebuffers on separate lines in config.txt by @vpetersson in https://github.com/Screenly/Anthias/pull/2911
feat(api,viewer): viewer REST shim + rename AnthiasWebview → AnthiasViewer by @vpetersson in https://github.com/Screenly/Anthias/pull/2907
feat(server,api): auto-download remote video URLs into the asset pipeline by @vpetersson in https://github.com/Screenly/Anthias/pull/2912
fix(remote_video): reject empty Content-Type on GET by @vpetersson in https://github.com/Screenly/Anthias/pull/2913
fix(rpi-imager): repair broken Anthias icon URL by @vpetersson in https://github.com/Screenly/Anthias/pull/2918
fix(ci): fetch install-bun.sh from workflow ref, not tag workspace by @vpetersson in https://github.com/Screenly/Anthias/pull/2921
fix(ci): trust @balena/compose-parser so balena deploy can parse compose by @vpetersson in https://github.com/Screenly/Anthias/pull/2922
fix(ci): use --version latest for balena os download (was: default) by @vpetersson in https://github.com/Screenly/Anthias/pull/2924
fix(ci): install balena-cli via npm so native postinstalls run by @vpetersson in https://github.com/Screenly/Anthias/pull/2925
fix(ci): x86 fleet uses generic-amd64, not genericx86-64-ext by @vpetersson in https://github.com/Screenly/Anthias/pull/2926
feat(viewer,server): 1 GB SBC enablement — low-RAM degradation gates by @vpetersson in https://github.com/Screenly/Anthias/pull/2915
chore(deps): bump idna from 3.13 to 3.15 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2920
chore(deps-dev): bump certifi from 2026.4.22 to 2026.5.20 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2931
chore(deps-dev): bump types-requests from 2.33.0.20260408 to 2.33.0.20260518 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2929
chore(deps-dev): bump packaging from 26.1 to 26.2 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2932
chore(deps-dev): bump time-machine from 2.15.0 to 3.2.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2933
chore(deps-dev): bump mypy from 1.18.2 to 2.1.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2930
chore(deps-dev): bump types-gunicorn from 25.3.0.20260408 to 26.0.0.20260518 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2934
chore(deps): bump the github-actions group with 2 updates by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2935
fix(upgrade): remove legacy srly-ose-redis container by @vpetersson in https://github.com/Screenly/Anthias/pull/2936
fix(upgrade): bind-mount /dev/cec0 on Pi 5 / mainline-KMS hosts by @vpetersson in https://github.com/Screenly/Anthias/pull/2938
chore(deps-dev): bump pygit2 from 1.19.1 to 1.19.2 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2939
chore(deps-dev): bump pytest-playwright from 0.7.2 to 0.8.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2940
chore(deps-dev): bump channels from 4.3.1 to 4.3.2 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2941
chore(deps-dev): bump psutil from 7.2.1 to 7.2.2 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2943
chore(deps): bump the github-actions group with 4 updates by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2944
chore(deps-dev): bump pytest-xdist from 3.6.1 to 3.8.0 by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2942
chore(deps-dev): bump sass from 1.99.0 to 1.100.0 in the bun group by @dependabot[bot] in https://github.com/Screenly/Anthias/pull/2945
fix(webview): gate VideoView/QtMultimedia behind Qt6 so Qt5 boards build by @vpetersson in https://github.com/Screenly/Anthias/pull/2946

Full Changelog: https://github.com/Screenly/Anthias/compare/v2026.05.0...v2026.05.1

Breaking Changes

Legacy `srly-ose-redis` container is removed on upgrade.

Security Fixes

Addressed CodeQL alerts for path injection, URL redirection, and stack trace exposure.
CSRF mitigation: `CSRF_TRUSTED_ORIGINS` env var added; same‑host Origin accepted regardless of scheme.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Anthias

Get notified when new releases ship.

About Anthias

The world's most popular open source digital signage project.

All releases →