fireshare

v1.6.16 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

clips gaming jellyfin link-sharing media plex

+3 more

self-hosted transcode-video video-streaming

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 9d

The release mandates authentication for the `/api/test-discord-webhook` and `/api/test-webhook` API endpoints.

Why it matters: Requires login to prevent unauthenticated SSRF attacks on those webhook endpoints; severity scored 90. Operators must enforce auth before any request hits these surfaces.

Summary

AI summary

Fixed unauthenticated SSRF by requiring login for Discord webhook endpoints.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Requires authentication for `/api/test-discord-webhook` and `/api/test-webhook` endpoints Requires authentication for `/api/test-discord-webhook` and `/api/test-webhook` endpoints Source: llm_adapter@2026-06-09 Confidence: high	—
Feature	Medium	Adds "Rescan Image / Video Dates" action in Settings to re-extract and overwrite dates using filename/EXIF metadata Adds "Rescan Image / Video Dates" action in Settings to re-extract and overwrite dates using filename/EXIF metadata Source: llm_adapter@2026-06-09 Confidence: high	—
Bugfix
Bugfix	Medium	Generates metadata and posters before sending notifications during bulk import Generates metadata and posters before sending notifications during bulk import Source: llm_adapter@2026-06-09 Confidence: high	—
Bugfix	Medium	Uses EXIF/filename date extraction instead of file modification time for image scanning Uses EXIF/filename date extraction instead of file modification time for image scanning Source: llm_adapter@2026-06-09 Confidence: high	—
Bugfix	Medium	Fixes Discord/webhook notifications sending before video thumbnail is ready; uses fast keyframe seeking and ensures poster written before firing Fixes Discord/webhook notifications sending before video thumbnail is ready; uses fast keyframe seeking and ensures poster written before firing Source: llm_adapter@2026-06-09 Confidence: low	—
Bugfix	Medium	Ensures Discord/webhook notifications only fire after video thumbnail generation succeeds Ensures Discord/webhook notifications only fire after video thumbnail generation succeeds Source: granite4.1:30b@2026-06-09-audit Confidence: low	—

Full changelog

What's Changed

Security

Fixed unauthenticated SSRF: /api/test-discord-webhook and /api/test-webhook now require @login_required

New Features

Added Rescan Image / Video Dates action in Settings - re-extracts and overwrites dates for all videos and images using filename/EXIF metadata, runs in the background

Bug Fixes

Fixed Discord/webhook notifications sometimes sending before the video thumbnail was ready for large or high-bitrate uploads
- Poster generation now uses fast keyframe seeking (-ss before -i) instead of full decode, preventing timeouts on large files
- Webhooks are only fired after confirming the poster was successfully written to disk; falls back to first frame if the configured seek position fails
- Bulk import path now generates metadata and posters before sending notifications (previously fired immediately after DB insert)
Image scanning now uses EXIF/filename date extraction instead of file modification time for more accurate dates

Security Fixes

CVE‑2024‑XXXXX – Fixed unauthenticated SSRF: `/api/test-discord-webhook` and `/api/test-webhook` now require `@login_required`

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track fireshare

Get notified when new releases ship.

About fireshare

Self host your media and share with unique links

All releases →