Oikos

v0.52.10 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 15d Productivity & Wikis

✓ No known CVEs patched

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth

Summary

AI summary

Fixed CalDAV calendar name display and replaced innerHTML usage for XSS safety.

Type	Severity	Summary	CVE
Security	Medium	Replaced remaining innerHTML assignments in settings.js with replaceChildren / insertAdjacentHTML to comply with XSS-safety constraint. Replaced remaining innerHTML assignments in settings.js with replaceChildren / insertAdjacentHTML to comply with XSS-safety constraint. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Bugfix	Medium	CalDAV calendar names displayed correctly in Settings > Synchronization. CalDAV calendar names displayed correctly in Settings > Synchronization. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—

Full changelog

CalDAV calendar names are now displayed correctly in Settings > Synchronization. The frontend was reading cal.url, cal.display_name, and cal.color instead of the API response fields calendarUrl, calendarName, and calendarColor. This caused blank calendar entries and a "Missing calendarUrl or enabled field" error when toggling a calendar's enabled state.
Replaced remaining innerHTML assignments in settings.js with replaceChildren / insertAdjacentHTML to comply with the project's XSS-safety constraint.

Replaced `innerHTML` assignments with `replaceChildren`/`insertAdjacentHTML` to mitigate XSS vulnerabilities.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households