Week of May 11–17, 2026
459 releases 89 breaking 55 security 9 tools featured
openproject v17.4.0, dolibarr 23.0.3, passbolt_api v5.12.0, rallly v4.10.1, and langchain‑core ==1.4.0 patch high‑severity IDOR and dependency vulnerabilities this week.
Editor's Picks
Passbolt Community Edition (CE) API.
Fixes critical lodash package vulnerability (PB-50340).
Read full release →The agent engineering platform
Upgrades pygments to >=2.20.0 for CVE-2026-4539
Read full release →OpenProject is the leading open source project management software.
IDOR in PATCH request to /api/v3/documents/{id} lets users modify foreign project documents by setting project_id before authorization checks.
Read full release →Open-source Jira, Linear, Monday, and ClickUp alternative.
Prevent ORM field injection via analytics segment parameter.
Read full release →Rallly is an open-source scheduling and collaboration tool designed to make organizing events...
Patches Next.js May 2026 security advisory and CVE-2026-23870 (React Server Components DoS).
Read full release →Category Pulse
Archive
Security & Auth tools · 12 releases +
-
voidauth v1.12.4 feature
Loading Spinner Logic updated to not always show
-
teleport v18.8.1 bugfix
Fix sudoers entry creation
-
Checkov 3.2.529 bugfix
Include 90-day boundary in Terraform rotation check CKV_AWS_304
-
Ghidra Ghidra_12.1_build maintenance
Routine maintenance and dependency updates.
-
passbolt_api v5.12.0 security
Fixes critical lodash package vulnerability (PB-50340).
Show low-signal releases (1)
-
cap [email protected] bugfix
Bug fixes and stability improvements.
AI & Machine Learning · 30 releases +
-
graphify v0.8.10 bugfix
save_manifest data loss fix
-
casibase v2.8.3 bugfix
i18n dark mode fix
-
Toad v0.6.18 bugfix
OpenCode fix
-
Upsonic v0.77.2 bugfix
Chat & messages bugfix
-
LocalAI v4.2.5 bugfix
Ollama nil filter fix
Infrastructure · 14 releases +
-
dockhand v1.0.29 bugfix
update buttons respect the 'confirm dangerous actions' setting
-
arcane v1.19.2 bugfix
Session persistence across upgrades
-
netbird v0.71.2 bugfix
Registry cleanup
-
daytona v0.177.0 bugfix
Daemon process reap fix
-
seaweedfs 4.25 bugfix
Admin UI fix
Show low-signal releases (1)
-
Salt v3008.0rc4 unknown
Observability · 11 releases +
-
Pulse v5.1.31 bugfix
Fixed stable installer release resolver for machines without jq.
-
Nezha v2.0.8 bugfix
Fix OnUserDelete
-
langfuse v3.174.1 maintenance
Routine maintenance and dependency updates.
-
loki v3.7.2 bugfix
Ruler panic fix
-
oneuptime 10.2.8 bugfix
Metric attributes loading fixed
Show low-signal releases (1)
-
opik 2.0.37 bugfix
Performance improvement
Developer Tools · 3 releases +
-
chhoto-url 7.0.4 bugfix
Cookie session expiration fix
-
cmux v0.64.6 bugfix
Swift interpolation fix
-
buildkit dockerfile/1.24.0 bugfix
LABEL leakage fix
CI/CD · 9 releases +
-
CI‑pending state handling
-
ArgoCD v3.2.12 bugfix
URL validation + log overflow fix
-
dokku v0.38.5 bugfix
Port mapping preservation
-
Concourse v8.2.1 bugfix
Handle all IPv4 loopback resolvers
-
werf v2.68.2 bugfix
Deploy retries on webhook unavailable error
Self-Hosted · 28 releases +
-
ganymede v4.17.0 feature
Automated scripts can use API keys managed at Admin > API Keys.
-
filebrowser v2.63.4 bugfix
show item shares from all users to admins
-
hoodik v1.15.3 bugfix
selection count in toolbar fixed
-
portabase 1.15.1 maintenance
Routine maintenance and dependency updates.
-
bichon 1.0.2 bugfix
Dashboard card fix + mailbox selection
Show low-signal releases (1)
-
wekan v9.21 bugfix
Bug fixes and stability improvements.
Data & Databases · 2 releases +
-
memgraph v3.10.1 bugfix
Docker startup fix
-
dolt v2.0.3 bugfix
Remote DB cache removal
Show low-signal releases (2)
-
vector vdev-v0.3.3 unknown
-
ClickHouse v26.1.12.23-stable unknown
MCP Servers · 1 release +
-
relaticle v3.2.7 feature
i18n readiness Phase 1 — Filament admin app added
Get the weekly brief in your inbox. No spam, just software releases that matter.
Subscribe