-
v2.5.6-hotfix Pre-release
released this
2026-05-13 00:01:38 +02:00 | 75 commits to main since this releaseFixed
- CodeQL SSRF alert #10: Broke taint flow in PluginLoaderService by changing loadPlugin(Path, Plugin) → loadPlugin(Plugin)
- JAR path is now resolved internally from trusted storage directories (system/ and staging/) using only the plugin ID from the database
- This completely breaks the taint flow because the URL passed to URLClassLoader is never derived from external/user input
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads