Thingsboard

What's Changed

Security

• Fixed CWE-770 in Jackson Core by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15368
• Fixed CVE-2026-34487, CVE-2026-34486, CVE-2026-34483 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15417
• Fixed CVE-2025-70340: system alarm comments access control by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15377
• Fixed multiple CVEs: 2026-39364, 2026-39363, 2026-4800 by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15466
• Fixed CVE-2026-40895 by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15538
• Fixed CVE-2026-5588, CVE-2026-5598, CVE-2025-14813, CVE-2026-35554, CVE-2026-27314 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15458
• Fixed CVE-2026-40975, CVE-2026-40973, CVE-2026-22740, CVE-2026-42198 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15557
• Fixed SSRF vulnerability in AI model provider URLs by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15412
• Fixed SSRF and file access vulnerabilities in TBEL script sandbox by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15585
• Fixed CVE-2026-40682, CVE-2026-42027 by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15588
• Fixed CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15598
• Hardened remote JS executor script invocation by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15600
• Fixed CVE-2026-41284, CVE-2026-43512 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15649

Core & Rule Engine

• Audit logging for tenant profile operations by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/13076
• Added entity keys V2 endpoint with sample values by @dskarzh in https://github.com/thingsboard/thingsboard/pull/15044
• Performance and reliability improvements for Efento message processing by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15333
• Refactored APIs to meet OpenAPI standard by @dashevchenko and @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15443
• Exposed HTTP response compression configuration params by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15520
• LZ4 compression support for Kafka by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15565
• Fixed WS sessions limit handling for public users by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15313
• Fixed REST API Call node blocking actor thread and semaphore permit leak by @smatvienko-tb in https://github.com/thingsboard/thingsboard/pull/15334
• Fixed entity filtering by boolean data key for EDQS by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15457
• Fixed alarm rule crash on duration source change by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15439
• Fixed MAX aggregation for mixed double and long telemetry values by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15560
• Added config property to control null ordering in dashboards by @dashevchenko in https://github.com/thingsboard/thingsboard/pull/15425

UI

• Improved default tenant home dashboard by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15000
• Changed default "Add" button style in entity tables by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/14984
• Bumped Node.js version from 22.18.0 to 22.22.2 by @ViacheslavKlimov in https://github.com/thingsboard/thingsboard/pull/15330
• Enhanced localization: "save-to-gallery" translations by @deaflynx in https://github.com/thingsboard/thingsboard/pull/15339
• Exposed http-utils functions via WidgetContext.httpUtils by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15395
• Added roundDown option to ShortNumberPipe by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15393
• HTML container widget by @ikulikov in https://github.com/thingsboard/thingsboard/pull/15556
• Hidden "Add Telemetry" button for Entity view by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15362
• Added '@angular/core/rxjs-interop' to modules map by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15373
• Fixed Datasource determination for autocomplete patterns if datasource is empty by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15340
• Fixed hint alignment for propagate alarm rule field by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15360
• Fixed missing 'type' property in alarm rule condition on save by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15392
• Fixed select options being clipped in widget settings form by @vvlladd28 in https://github.com/thingsboard/thingsboard/pull/15399
• Fixed translation for Asset and Device profile by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15421
• Removed "Alarm rules" step from setting up device profile by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15422
• Fixed display long texts in Alarm asignee panel by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15408
• Fixed Alarm Assignee icon placement by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15423
• Adjusted size of entity type select to fit error message by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15427
• Fixed show/hide of custom header actions when using function to control visibility by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15430
• Fixed not set pageSize to child nodes in Entities hierarchy widget by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15433
• Fixed not process aggregation keys in Entities hierarchy widget by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15434
• Fixed icon placement in Value stepper icon by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15489
• Fixed display column panel hiding not selectable columns by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15490
• Fixed map shape labels drifting from center after viewport resize by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15531
• Map widget: fixed data aggregation for additional data keys and import/export widget JSON for polylines layer by @ChantsovaEkaterina in https://github.com/thingsboard/thingsboard/pull/15579
• Fixed CSV import not unescaping double quotes in unquoted fields by @ChantsovaEkaterina in https://github.com/thingsboard/thingsboard/pull/15581
• Removed unnecessary DomSanitizer bypass in photo camera input widget by @mtsymbarov-del in https://github.com/thingsboard/thingsboard/pull/15639

Transport

• Added automatic SSL/TLS certificate reload for transports without service restart by @AndriiLandiak in https://github.com/thingsboard/thingsboard/pull/15301
• Fixed app hanging on MQTT port conflict at startup by @zzzeebra in https://github.com/thingsboard/thingsboard/pull/15451
• SNMP: defer querying tasks until transport session is registered by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15346

Edge

• Added syncInProgress as edge attribute by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15111
• API key edge sync support by @volodymyr-babak in https://github.com/thingsboard/thingsboard/pull/15167

Full Changelog: https://github.com/thingsboard/thingsboard/compare/v4.3.1.1...v4.3.1.2