spupuz/VibeNVR

v1.28.6 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ffmpeg lightweight local-storage nvr opensource privacy

+1 more

video-surveillance

Affected surfaces

auth

ReleasePort's take

Light signal

editorial:auto 13d

v1.28.6 fixes Camera Export NameError causing 500 errors and hardens Telegram notifications against HTML injection. Includes RTSP stability improvements and credential log redaction.

Why it matters: Fix 500-error NameError crash in exports. Address Telegram HTML injection. Apply if using camera export or Telegram integration.

Summary

AI summary

Fixed Camera Export NameError causing 500 errors, hardened Telegram notifications against HTML injection.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Updates internal security policies and synchronizes log redaction filters for better credential protection Updates internal security policies and synchronizes log redaction filters for better credential protection Source: granite4.1:30b@2026-05-22-audit Confidence: high	—
Security	Medium	Improves credential protection via log redaction synchronization Improves credential protection via log redaction synchronization Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	Reduces RAM usage by disabling pre-buffering in Passthrough mode Reduces RAM usage by disabling pre-buffering in Passthrough mode Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes NameError crash in camera configuration export Fixes NameError crash in camera configuration export Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Improves RTSP stream stability for Wyze, Eufy, Reolink devices Improves RTSP stream stability for Wyze, Eufy, Reolink devices Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Prevents Telegram bot crashes from special characters in event/zone names Prevents Telegram bot crashes from special characters in event/zone names Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Full Changelog: https://github.com/spupuz/VibeNVR/compare/v1.28.5...v1.28.6

v1.28.6 - Stability & Notification Hardening

This release focuses on resolving critical backend bugs and optimizing stability for battery-powered cameras and Wyze devices.

🛠 Backend Fixes & Improvements

Camera Export: Resolved a NameError (missing datetime import) that caused 500 errors when exporting camera configurations.
Telegram Notifications: Hardened the notification pipeline with robust HTML escaping to prevent bot crashes caused by special characters in event or zone names.
Security: Updated internal security policies and synchronized log redaction filters for enhanced credential protection.

🚀 Engine Optimizations

Memory Efficiency: Optimized RAM utilization by disabling unnecessary pre-buffering when Passthrough recording mode is active.
Wyze & Battery Cam Stability: Introduced optimized NAL-unit parsing and adaptive retry logic to improve RTSP stream resilience for Wyze V3, Eufy, and Reolink devices.

📖 Documentation & Wiki

Troubleshooting: Added a new dedicated section in the Wiki for Wyze and battery-powered camera stability.
Security Audit: Updated SECURITY.md to reflect new token handling and log sanitization procedures.

Full Changelog: v1.28.5...v1.28.6

Security Fixes

Updated internal security policies and synchronized log redaction filters for enhanced credential protection

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track spupuz/VibeNVR

Get notified when new releases ship.

About spupuz/VibeNVR

All releases →

Related context

Related tools

Earlier breaking changes

v1.28.3 Must update docker-compose.yml with TZ variable for all services