Oikos

v0.68.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

The `/api/v1/documents/:id/preview` endpoint now includes defense‑in‑depth mitigations against stored XSS.

Why it matters: Addresses a stored XSS vulnerability (severity 90) on the documents preview API, reducing risk for developers and security engineers handling document rendering.

Summary

AI summary

Hardened documents preview endpoint with defense‑in‑depth against stored XSS.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Hardened `/api/v1/documents/:id/preview` endpoint against stored XSS. Hardened `/api/v1/documents/:id/preview` endpoint against stored XSS. Source: llm_adapter@2026-06-09 Confidence: low	—
Security	High	Enforced server-side MIME type allowlist for `/api/v1/documents/:id/preview` endpoint. Enforced server-side MIME type allowlist for `/api/v1/documents/:id/preview` endpoint. Source: granite4.1:30b@2026-06-09-audit Confidence: low	—
Security	High	Returns `415` for unsupported MIME types on preview endpoint. Returns `415` for unsupported MIME types on preview endpoint. Source: granite4.1:30b@2026-06-09-audit Confidence: low	—
Security	High	Added `X-Content-Type-Options: nosniff` header to preview responses. Added `X-Content-Type-Options: nosniff` header to preview responses. Source: granite4.1:30b@2026-06-09-audit Confidence: low	—
Security	High	Applied restrictive Content-Security-Policy (`default-src 'none'`) to preview responses. Applied restrictive Content-Security-Policy (`default-src 'none'`) to preview responses. Source: granite4.1:30b@2026-06-09-audit Confidence: low	—

Full changelog

Security

Documents preview: hardened the new GET /api/v1/documents/:id/preview endpoint with defense-in-depth against stored XSS. It now enforces its own server-side allowlist of previewable MIME types (PDF, PNG, JPEG, WebP, plain text, CSV) and returns 415 for anything else, instead of serving any stored mime_type inline. Responses additionally carry X-Content-Type-Options: nosniff and a restrictive Content-Security-Policy (default-src 'none') so no inline content can execute scripts even if a file were ever misclassified. (Not exploitable in 0.68.0 — uploads already reject HTML/SVG — but this removes the implicit dependency on the upload allowlist.)

Security Fixes

Documents preview endpoint now enforces a server‑side allowlist (PDF, PNG, JPEG, WebP, plain text, CSV) and returns 415 for disallowed MIME types; adds `X-Content-Type-Options: nosniff` and restrictive CSP (`default-src 'none'`) to prevent stored XSS.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households

All releases →

Related context

Related tools

Earlier breaking changes

v0.71.3 Changes WebDAV backup default path from "/oikos/backups/" to "/yuvomi/backups/".
v0.66.0 Repository URL changed to `https://github.com/ulsklyc/yuvomi`.
v0.66.0 Docker image moved to `ghcr.io/ulsklyc/yuvomi`.
v0.66.0 Project renamed from Oikos to Yuvomi.
v0.62.0 Changes event dialog to unified sync target picker across Google and CalDAV calendars.