This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+5 more
Affected surfaces
ReleasePort's take
Moderate signalThe v1.3.0 release prevents full‑read SSRF attacks via the "from url" feature.
Why it matters: Mitigates high‑severity (95) server‑side request forgery risk on URL‑based downloads; immediate mitigation is required for affected deployments.
Summary
AI summaryUpdates feat, Version Information, and Updated Tags across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Prevents full-read SSRF attacks via "from url" feature. Prevents full-read SSRF attacks via "from url" feature. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds PDF to DOCX conversion support. Adds PDF to DOCX conversion support. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds support for custom OIDC username claims. Adds support for custom OIDC username claims. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds Chinese (zh-CN) language support with translations. Adds Chinese (zh-CN) language support with translations. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds SHA256 verification for downloaded artifacts in Dockerfile. Adds SHA256 verification for downloaded artifacts in Dockerfile. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Adds customizable datetime display format. Adds customizable datetime display format. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Feature | Medium |
Displays datetime in the browser's locale. Displays datetime in the browser's locale. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Dependency | Low |
Updates Calibre and Draw.io versions in Dockerfile. Updates Calibre and Draw.io versions in Dockerfile. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Bugfix | Low |
Updates Dockerfile Calibre download URL to official site. Updates Dockerfile Calibre download URL to official site. Source: llm_adapter@2026-06-02 Confidence: high |
— |
| Bugfix | Low |
Updates fr.json translation file. Updates fr.json translation file. Source: llm_adapter@2026-06-02 Confidence: high |
— |
Full changelog
Security Patch: In previous versions full-read SSRF attacks are possible using the "from url" feature, please update promptly. Thanks for responsibly reporting @tonghuaroot!
Changes
- security: add SSRF prevention to url based downloads Co-authored-by: tonghuaroot [email protected] (be1698c)
- feat: add PDF to DOCX conversion support (#170) (dbbc69e)
- feat: add support for custom OIDC username claims (#164) (dd12da9)
- feat: add Chinese (zh-CN) language support with translations (AI assisted) (f3e8f9d)
- feat: add SHA256 verification for downloaded artifacts in Dockerfile (bdd9b50)
- feat: add customizable datetime display format (#167) (609224b)
- feat: display datetime in the browser's locale (#167) (89056fa)
- chore: update Calibre and Draw.io versions in Dockerfile (fixes #165 and fixes #166) (3c81aee)
- fix: update Dockerfile Calibre download URL to official site (dd10d2a)
- fix: Update fr.json (9e52a53 & 68c6505)
Version Information
- Full version:
v1.3.0 - Minor version tag:
v1.3 - Major version tag:
v1
Updated Tags
v1.3→v1.3.0(created)v1→v1.3.0(updated)
Security Fixes
- SSRF prevention added to URL‑based downloads; fixes full-read SSRF vulnerability reported by @tonghuaroot
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]