Skip to content

ktistec

Communication & Email

An ActivityPub server designed for small trusted groups with minimal dependencies (SQLite) and rich posting features

Track releases GitHub
Crystal Latest v3.4.0 · 6d ago Security brief →

Features

  • ActivityPub server optimized for tiny, admin‑only communities
  • Uses SQLite instead of heavy services like PostgreSQL+Redis
  • Rich text and Markdown editors with image support and focal‑point handling
  • Draft posts that autosave until published
  • Threaded replies with analysis (key participants, timeline histogram, notable branches)
  • Built‑in poll creation and voting

Recent releases

View all 14 releases →
No immediate action
v3.4.0 Breaking risk

Removed paginated queries

Open
Review required
v3.3.9 Security relevant
Auth

DNS rebinding + HTTP body limits

Open
Review required
v3.3.8 New feature
Auth RBAC

String safety + Slang engine

Open
v3.3.7 New feature
Security fixes
  • Prevent pinning of private objects and auto-unpin them
  • Remove `href` attributes with unsafe schemes from sanitized HTML
  • Escape interpolated values in view helpers and actor icon refresh
Notable features
  • Sliding token expiration for OAuth2 access tokens
  • Mastodon-compatible API endpoint `/api/v1/accounts/update_credentials`
Full changelog

Added

  • Sliding token expiration for OAuth2 access tokens.
  • Mastodon-compatible API: /api/v1/accounts/update_credentials endpoint.

Fixed

  • Prevent pinning of (and auto-unpin) private objects.
  • Don't save a quote if the quoted actor cannot be dereferenced.
  • Fix rendering of federated actor profile attachment values.
  • Remove href attributes with unsafe schemes from sanitized HTML.
  • Escape interpolated values in view helpers and the actor icon streaming refresh.
  • Restrict upload extensions and serve uploads with X-Content-Type-Options: nosniff.
  • Escape publicKey and scrub Tag.href.
  • Sanitizer no longer permits single-quote attribute injection.
  • Ensure bearer-token sessions cannot reach the web UI.
  • Require client authentication on the OAuth token endpoint.
View release on GitHub
v3.3.6 Security
Security fixes
  • Prevented SSRF when dereferencing externally supplied IRIs
Notable features
  • Deferred downloading of script files
  • Deferred loading of image, video, and audio attachments
Full changelog

Fixed

  • Prevent SSRF when dereferencing externally supplied IRIs.
  • Timeline entry no longer becomes stale when an announce is undone.
  • Correctly represent boosted posts on the home timeline in API clients.

Changed

  • Defer downloading of script files.
  • Defer loading of image, video, and audio attachments.
  • Move poll vote notification for voters into the outbox processor.
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
430
Forks
23
Languages
Crystal Slang JavaScript
View on GitHub

Similar tools

neodb
listmonk
bookwyrm
zulip
Openfire

Beta — feedback welcome: [email protected]