Oikos

v0.55.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 5d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 5d

The release centrally HTML‑escapes modal titles, option labels, and prompt defaults to mitigate an XSS vulnerability.

Why it matters: Severity 90 security fix eliminates XSS risk in all modal UI components; operators must deploy v0.55.0 immediately.

Summary

AI summary

Modal titles, select options, and prompt defaults are now HTML‑escaped to close an XSS vector.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Centrally HTML-escapes modal titles, option labels, and prompt defaults to prevent XSS Centrally HTML-escapes modal titles, option labels, and prompt defaults to prevent XSS Source: llm_adapter@2026-05-29 Confidence: high	—
Feature	Low	Adds screen-reader summary for budget category chart Adds screen-reader summary for budget category chart Source: llm_adapter@2026-05-29 Confidence: high	—
Bugfix	Medium	Enter now submits single-line modal forms instead of advancing focus Enter now submits single-line modal forms instead of advancing focus Source: llm_adapter@2026-05-29 Confidence: high	—
Refactor	Medium	Reworked shared modal into explicit state machine with suspend/restore helpers Reworked shared modal into explicit state machine with suspend/restore helpers Source: granite4.1:30b@2026-05-29-audit Confidence: high	—

Full changelog

Added

Screen-reader summary for the budget category chart: The category bar chart now exposes a concise .sr-only summary (number of categories plus the largest category and its share) so assistive technologies can convey the data without parsing the purely visual bars.

Changed

Enter submits modal forms: Pressing Enter in a single-line field inside a modal now submits the form (the standard web convention) instead of advancing focus to the next field.
More robust modal lifecycle: Reworked the shared modal into an explicit state machine (idle/open/confirming/closing) with encapsulated suspend/restore helpers, hardening the unsaved-changes confirmation against double-close and back-navigation races. Behavior is otherwise unchanged.

Security

Escaped modal titles and option labels: Modal titles, selectModal option labels, and promptModal default values are now centrally HTML-escaped, closing an XSS vector where raw user-supplied text (e.g. a task title reused as a modal heading) was injected unescaped.

Security Fixes

Escaped modal titles, selectModal option labels, and promptModal default values — closes XSS vector where raw user input was injected unescaped

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households

All releases →