Skip to content

posterizarr

Media Servers

Automated poster maker for Plex/Jellyfin/Emby.

Track releases GitHub
PowerShell Latest 2.2.47 · 5d ago Security brief →

Features

  • User‑Friendly Web UI for managing settings and triggering runs
  • Supports multiple media servers: Plex, Jellyfin, Emby
  • Kometa integration for organized asset folder structure
  • Smart triggers from Tautulli, Sonarr, and Radarr

Recent releases

View all 33 releases →
Review required
2.2.47 Mixed
Auth

Bug fixes + security sanitization

Open
No immediate action
2.2.46 New feature

Scheduler retries + UI status

Open
No immediate action
2.2.45 New feature

Emby support + Season name overrides

Open
2.2.43 Bug fix

Fixed testing mode ImageMagick errors.

Full changelog

What's Changed

  • fix: testing mode imagemagick errors by @fscorrupt in https://github.com/fscorrupt/posterizarr/pull/562

Full Changelog: https://github.com/fscorrupt/posterizarr/compare/2.2.42...2.2.43

View release on GitHub
2.2.42 Breaking risk
Security fixes
  • dep: postcss v8.5.10 — fixes XSS vulnerability caused by improper escaping of ` sequences (Dependabot #561)
Notable features
  • SSRF protection for all connected services (Plex, Jellyfin, Emby, TMDB, TVDB, Webhooks)
  • Directory traversal prevention in asset upload/delete/browsing
  • Command sanitization for CLI arguments of background tasks
Full changelog

This release brings substantial under-the-hood security improvements to both the backend API and the frontend UI, along with safer logging practices.

🛡️ Security Enhancements

  • Frontend XSS Patch (Dependabot #561): Updated postcss to v8.5.10 to resolve a vulnerability where </style> sequences were improperly escaped, preventing potential Cross-Site Scripting (XSS) attacks.
  • SSRF Protection: Strengthened internal and external API request handling to block Server-Side Request Forgery attempts across all connected services (Plex, Jellyfin, Emby, TMDB, TVDB, Webhooks).
  • Directory Traversal Prevention: Hardened asset uploading, deletion, and folder browsing to strictly restrict access to designated asset directories.
  • Command Sanitization: Improved validation of CLI arguments for background tasks (like ImageMagick processing) to prevent argument injection.
  • Log Redaction: Sensitive information such as API Keys, tokens, and PINs are now strictly masked in application logs and the downloadable support ZIP (Only Debug log was affected).
  • Safe Error Responses: Genericized HTTP server error responses to prevent internal path and stack trace leaks.

🐛 Bug Fixes & Chores

  • Fixed and tightened regex rules used for parsing media titles and masking URLs.
  • Improved emoji-stripping rules for filename sanitation.
  • Removed deprecated internal routing logic and optimized module imports.

What's Changed

  • Sync Main to dev by @fscorrupt in https://github.com/fscorrupt/posterizarr/pull/559
  • chore(security): comprehensive security hardening and logging improvements. by @fscorrupt in https://github.com/fscorrupt/posterizarr/pull/560
  • fix: update postcss to resolve XSS vulnerability by @fscorrupt in https://github.com/fscorrupt/posterizarr/pull/561

Full Changelog: https://github.com/fscorrupt/posterizarr/compare/2.2.41...2.2.42

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
878
Forks
34
Languages
PowerShell Python JavaScript
View on GitHub Documentation

Install & Platforms

Platforms
linux macos windows arm64

Community & Support

Discord

Similar tools

Anthias
Piwigo
seerr
plexe
postal

Beta — feedback welcome: [email protected]