Oikos

v0.70.2 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2d Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 2d

WebDAV storage now rejects private and loopback destinations and replaces a vulnerable trailing‑slash regex with linear path processing.

Why it matters: These changes block prohibited destination access and eliminate pathological regex attacks, reducing security risk for WebDAV deployments.

Summary

AI summary

WebDAV storage hardens against prohibited destinations and mitigates pathological regex attacks.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Rejects private, loopback, link-local, internal-DNS, and DNS-rebinding destinations for WebDAV storage. Rejects private, loopback, link-local, internal-DNS, and DNS-rebinding destinations for WebDAV storage. Source: llm_adapter@2026-06-10 Confidence: high	—
Security	High	Replaces ambiguous trailing-slash regex with linear path processing for WebDAV paths. Replaces ambiguous trailing-slash regex with linear path processing for WebDAV paths. Source: llm_adapter@2026-06-10 Confidence: high	—

Full changelog

Security

WebDAV document storage: UI-managed targets now reject private, loopback, link-local, internal-DNS, and DNS-rebinding destinations both before persistence and during socket lookup. Trusted private-network targets remain available through DOCUMENT_STORAGE_WEBDAV_URL.
WebDAV path normalization: replaced ambiguous trailing-slash regular expressions with linear path processing to prevent polynomial-time matching on attacker-controlled configuration.

Security Fixes

WebDAV UI-managed targets now reject private, loopback, link‑local, internal‑DNS, and DNS‑rebinding destinations both before persistence and during socket lookup; trusted private‑network targets remain configurable via `DOCUMENT_STORAGE_WEBDAV_URL`.
WebDAV path normalization replaced ambiguous trailing‑slash regexes with linear processing to prevent polynomial‑time matching attacks on attacker‑controlled configuration.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households

All releases →

Related context

Related tools

Earlier breaking changes

v0.71.3 Changes WebDAV backup default path from "/oikos/backups/" to "/yuvomi/backups/".
v0.66.0 Repository URL changed to `https://github.com/ulsklyc/yuvomi`.
v0.66.0 Docker image moved to `ghcr.io/ulsklyc/yuvomi`.
v0.66.0 Project renamed from Oikos to Yuvomi.
v0.62.0 Changes event dialog to unified sync target picker across Google and CalDAV calendars.