• v2.5.6-hotfix e013266cba

    v2.5.6-hotfix Pre-release

    FTMahringer released this 2026-05-13 00:01:38 +02:00 | 75 commits to main since this release

    Fixed

    • CodeQL SSRF alert #10: Broke taint flow in PluginLoaderService by changing loadPlugin(Path, Plugin) → loadPlugin(Plugin)
    • JAR path is now resolved internally from trusted storage directories (system/ and staging/) using only the plugin ID from the database
    • This completely breaks the taint flow because the URL passed to URLClassLoader is never derived from external/user input
    Downloads