Skip to content

Networking & Proxy

DNS, VPN, reverse proxies, load balancers, and service mesh tooling.

Subscribe
All Breaking Security Features
Important Recent
← Releases
Review required
caddy v2.11.4 Security relevant
Auth RBAC

Security patches + deps upgrade

Open
Upgrade now
authentik version/2026.5.2 Security relevant
Auth Breaking upgrade

Security patches + bugfixes

Open
version/2026.2.4 (6d) Security fixes + core updates
Upgrade now
bunkerweb v1.6.11 Security relevant
RCE / SSRF Breaking upgrade

nginx security fix

Open
Upgrade now
NGINX release-1.30.2 Security relevant
RCE / SSRF

Buffer overflow fix

Open
vrelease-1.31.1 (12d) CVE‑2026‑9256 buffer overflow fix
Upgrade now
unbound release-1.25.1 Security relevant
RCE / SSRF Breaking upgrade

Security fixes

Open
Review required
AdGuardHome v0.107.75 Security relevant
Dependencies Breaking upgrade

DNS privacy vulnerability fix

Open
Upgrade now
nginx-ui v2.3.11 Security relevant
Dependencies

CVE‑2026‑42945 fix

Open
Upgrade now
NGINX release-1.30.1 Security relevant
RCE / SSRF Breaking upgrade

HTTP/2 request injection fix

Open
vrelease-1.31.0 (21d) CVE fixes + forward proxy
Config change
mcp-context-forge v1.0.1 Security relevant
Auth Breaking upgrade

Production secret enforcement

patches CVE-2023-4863
Open
Upgrade now
authentik version/2025.12.5 Security relevant
Auth Breaking upgrade

Security patches

Open
Upgrade now
caddy v2.11.3 Security relevant
Auth RCE / SSRF

Security patches

Open
traefik v3.7.1 Security relevant
Security fixes
  • CVE-2026-44774 — fixed (GHSA-96qj-4jj5-wcjc)
v3.6.17 (23d) CVE-2026-44774 fix
v2.11.46 (23d) CVE-2026-44774 fix
Poweradmin v4.2.3 Security relevant
Security fixes
  • Forwarded-IP headers (`X-Forwarded-For`, `X-Real-IP`, `Client-IP`) are now only honored when the peer (`REMOTE_ADDR`) is a private or loopback address, preventing audit‑log spoofing and per‑IP rate‑limit bypass.
Notable features
  • Group‑owned zones show correct edit/delete controls
  • PostgreSQL strict typing fixes prevent zone editing/search breakage
  • Bulk record add handles CSV escaping correctly
warpgate v0.23.3 Security relevant
Security fixes
  • GHSA-rj86-hm3r-c275: SSO state parameter validation prevents session hijacking through shared return links
nginx-ui v2.3.9 Security relevant
Security fixes
  • Restricted executable nginx directives in managed config to reduce unsafe directive risks
  • Required secure session before backup restore operations
Notable features
  • Hardened config write paths to reject unsafe file names and invalid content
pi-hole v6.4.2 Security relevant
Security fixes
  • GHSA-6w8x-p785-6pm4
Notable features
  • Permission fixes for gravity system
openvpn v2.7.2 Security relevant
Security fixes
  • CVE-2026-40215: TLS handshake race condition leading to packet data leakage
  • CVE-2026-35058: Server ASSERT on malformed packet with valid tls-crypt-v2 key
Notable features
  • Management interface base64-encoded multiline password support
v2.6.20 (1mo) TLS race condition fix
strongSwan 6.0.6 Security relevant
Security fixes
  • CVE-2026-35328 (libtls supported_versions infinite loop)
  • CVE-2026-35329 (PKCS#7 container crash)
  • CVE-2026-35330 (EAP-SIM/AKA RCE)
Goshs v2.0.2 Security relevant
Security fixes
  • GHSA-rhf7-wvw3-vjvm — Fixed CSRF/CORS issue by switching ?delete and ?mkdir handlers to HTTP DELETE and POST and enforcing referer/origin header checks.
Notable features
  • Improved testing framework with extensive test additions for higher code coverage
warpgate v0.23.1 Security relevant
Security fixes
  • GHSA-f5v4-2wr6-hqmg: DoS vulnerability allowing unauthenticated users to trigger out-of-memory condition
mantrae v0.8.9 Security relevant
Security fixes
  • Traefik v3.6.11 and v3.6.12 security updates
oauth2-proxy v7.15.2 Security relevant patches GHSA-5hvv-m4w4-gf6v
Security fixes
  • CVE-2026-34986, CVE-2026-32281, CVE-2026-32289, CVE-2026-32288, CVE-2026-32280, CVE-2026-32282, CVE-2026-32283
  • GHSA-5hvv-m4w4-gf6v: Health check user-agent authentication bypass (Critical)
  • GHSA-7x63-xv5r-3p2x: X-Forwarded-Uri header spoofing authentication bypass (Critical)
Notable features
  • New --trusted-proxy-ip flag for explicit trusted reverse proxy IP configuration
Goshs v2.0.0-beta.4 Security relevant
Security fixes
  • GHSA-2943-crp8-38xx – Fixed wrong port usage in sftpserver.
  • GHSA-wvhv-qcqf-f3cx – Made .goshs auth work recursively.
Notable features
  • `?redirect` handler for intentional redirects (Issue #138)

Beta — feedback welcome: [email protected]