The Extended Stable channel has been updated to 146.0.7680.216 for Windows and Mac which will roll out over the coming days/weeks.

The Stable channel has been updated to 147.0.7727.137/138 for Windows/Mac  and 147.0.7727.137 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 30 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$7000][494352590] Critical CVE-2026-7363: Use after free in Canvas. Reported by heapracer on 2026-03-19

[N/A][493221953] Critical CVE-2026-7361: Use after free in iOS. Reported by Google on 2026-03-16

[N/A][503419515] Critical CVE-2026-7344: Use after free in Accessibility. Reported by Google on 2026-04-16

[N/A][503645680] Critical CVE-2026-7343: Use after free in Views. Reported by Google on 2026-04-17

[$16000][493955227] High CVE-2026-7333: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19

[N/A][495852034] High CVE-2026-7360: Insufficient validation of untrusted input in Compositing. Reported by Google on 2026-03-24

[N/A][496284494] High CVE-2026-7359: Use after free in ANGLE. Reported by Google on 2026-03-25

[N/A][496285281] High CVE-2026-7358: Use after free in Animation. Reported by Google on 2026-03-25

[TBD][496456528] High CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ on 2026-03-26

[N/A][497047552] High CVE-2026-7357: Use after free in GPU. Reported by Google on 2026-03-27

[N/A][497769116] High CVE-2026-7356: Use after free in Navigation. Reported by Google on 2026-03-30

[N/A][498746519] High CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google on 2026-04-01

[N/A][498809718] High CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google on 2026-04-01

[N/A][499023054] High CVE-2026-7352: Use after free in Media. Reported by Google on 2026-04-02

[N/A][499119490] High CVE-2026-7351: Race in MHTML. Reported by Google on 2026-04-02

[N/A][500018484] High CVE-2026-7350: Use after free in WebMIDI. Reported by Google on 2026-04-06

[N/A][500034684] High CVE-2026-7349: Use after free in Cast. Reported by Google on 2026-04-06

[N/A][500104917] High CVE-2026-7348: Use after free in Codecs. Reported by Google on 2026-04-06

[TBD][500387779] High CVE-2026-7335: Use after free in media. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po) on 2026-04-07

[TBD][500767595] High CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla on 2026-04-09

[TBD][500880819] High CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io on 2026-04-09

[N/A][501722605] High CVE-2026-7347: Use after free in Chromoting. Reported by Google on 2026-04-11

[N/A][502206907] High CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google on 2026-04-13

[N/A][502248774] High CVE-2026-7345: Insufficient validation of untrusted input in Feedback. Reported by Google on 2026-04-13

[TBD][502449857] High CVE-2026-7338: Use after free in Cast. Reported by Krace on 2026-04-14

[N/A][503889643] High CVE-2026-7342: Use after free in WebView. Reported by Google on 2026-04-17

[N/A][504586599] High CVE-2026-7341: Use after free in WebRTC. Reported by Google on 2026-04-20

[$4000][493957495] Medium CVE-2026-7339: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19

[$3000][497896137] Medium CVE-2026-7340: Integer overflow in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-30

[N/A][498285711] Medium CVE-2026-7355: Use after free in Media. Reported by Google on 2026-03-31

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.28

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.28

Changes

• allow filtering out members-only videos in subscriptions (closes #971) (5d96a58)

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

Lately, there’s been quite a bit of chatter echoing across the highways of American Truck Simulator. From truck stops to weigh stations, drivers have been exchanging stories about a certain unfamiliar rig cruising the open road. Naturally, this caught our attention!

This mysterious machine hasn’t made things easy for those trying to get a closer look. With its smooth ride and surprisingly quiet presence, it seems to come and go before anyone can properly study it. The image we’ve seen so far leaves plenty of questions unanswered, but also sparks a lot of excitement.

What we’re seeing here is a truck that keeps its secrets well. Its modern design and refined presence hint at something built with both performance and driver comfort in mind. However, details remain limited, and no one has managed to get a closer, clearer look… yet.

Reports suggest that this mysterious newcomer could be a strong contender for both long-haul journeys and regional routes alike, offering versatility for all kinds of jobs across the vast American landscape. Beyond that, though, we’ll leave the speculation up to you.

Do you think you know what it might be?

We’ll be sharing more information when the time is right. Be sure to stay connected with us on our social media channels on X/Twitter, Facebook, BlueSky, YouTube, and Instagram, and by subscribing to our newsletter so you don’t miss any future updates! Until next time, happy haulin'!

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

Check binary attestation here

Bug fixes

• validation failed when creating git sync(d7a8bc1 by @kmendell)

Full Changelog: v1.18.0...v1.18.1

1.18.1

1.18.1

1.18.1

New features

• full control over prune options (#2372 by @kmendell)
• add UI to create and edit custom templates (#2351 by @mohamedhagag)
• add raw inspect tab to container detail view (#2368 by @GiulioSavini)
• universal environment dashboard (#2241 by @kmendell)
• add dedicated healthcheck tab for containers (#2384 by @kmendell)
• resource updates overview page (#2204 by @kmendell)
• add ability to deploy Docker Swarm stacks from Git repo with GitOps updates (#2412 by @SplinterHead)

Bug fixes

• handle deferred file close errors in docker build copy helper(3cdc1dd by @kmendell)
• datetime displays now respect the app's selected locale (#2366 by @GiulioSavini)
• guard volume file browser against non-mountable driver types (#2364 by @GiulioSavini)
• actually redeploy swarm stack when saving edits (#2365 by @GiulioSavini)
• set all api endpoints to use auth by default and explicitly remove auth for public endpoints (#2377 by @kmendell)
• add version label to environment cards (#2379 by @kmendell)
• always show save button on template pages (#2402 by @GiulioSavini)
• fall back to user cache dir when /tmp is not writable (#2408 by @GiulioSavini)
• skip image update checks for services with build config (#2403 by @GiulioSavini)
• tolerate undefined env vars in GitSync compose validation (#2380 by @GiulioSavini)
• pin trivy digest to 0.70.0(686248c by @kmendell)
• null user_id for env bootstrap keys + H2 support for registry fetches (#2370 by @GiulioSavini)
• incorrect conversion of linux runtime identity types (#2410 by @kmendell)
• pre-create volumes with driver_opts before stack deploy (#2407 by @GiulioSavini)
• show host CPU/RAM in System Overview instead of Arcane container limits (#2343 by @GiulioSavini)
• compose update indicator not refreshing when a new image is pulled(e367e1f by @kmendell)

Dependencies

• bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.0 in /backend in the go_modules group across 1 directory (#2383 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 in /backend in the go_modules group across 1 directory (#2388 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.2 to 5.1.3 in /backend (#2398 by @dependabot[bot])
• bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6 in /cli (#2391 by @dependabot[bot])
• bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 in /cli (#2390 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.3 to 1.17.4 in /cli (#2392 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.14 to 1.19.15 in /backend (#2396 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.0 to 1.57.1 in /backend (#2400 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.14 to 1.32.16 in /backend (#2401 by @dependabot[bot])
• bump to go 1.26.2(f01ce6c by @kmendell)
• bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /backend in the go_modules group across 1 directory (#2417 by @dependabot[bot])

Other

• remove useless assignment of bytes variables(7b610e3 by @kmendell)
• use specific cosign id token(a5fd68a by @kmendell)
• use specific cosign id token(369c7b8 by @kmendell)
• use non-interactive mode for cosign(53f286b by @kmendell)
• use manual cosign key(0995de3 by @kmendell)
• use cosign v3 syntax(1b5dd7b by @kmendell)
• simplify version info dialog(dbad484 by @kmendell)
• redesigned login screen (#2389 by @kmendell)
• use arcane/tools image for volume browser and trivy scans (#2409 by @kmendell)

Full Changelog: v1.17.4...v1.18.0

1.18.0

1.18.0

1.18.0

Bug fixes

• truncate long image refs in container table (#2318 by @GiulioSavini)
• project icons not loading when used with yaml/env aliases (#2324 by @kmendell)
• surface actual compose load error instead of generic 'no compose file found' (#2326 by @mkaltner)
• project max depth not working for filesystem discovery (#2325 by @kmendell)
• Locale selector background was inconsistent (#2348 by @RJMurg)
• light mode contrast for container stats CPU/memory monitor (#2344 by @GiulioSavini)
• keep project build context as container path so local builder can stat it (#2346 by @GiulioSavini)
• preserve webhook URL query params in generic notification provider (#2345 by @GiulioSavini)
• surface registry fetch errors in GET /templates/registries (#2355 by @GiulioSavini)
• detect provider-level failures in generic webhook notifications (#2356 by @GiulioSavini)
• skip gitops-managed projects in filesystem cleanup (#2354 by @GiulioSavini)
• Update Projects button only updates project containers (#2289 by @GiulioSavini)
• svelte reactivity issues in project editors (#2329 by @kmendell)
• send notification on single container update (#2357 by @GiulioSavini)

Dependencies

• bump github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 in /cli (#2303 by @dependabot[bot])
• bump prettier from 3.8.1 to 3.8.2 (#2313 by @dependabot[bot])
• bump @codemirror/view from 6.40.0 to 6.41.0 (#2306 by @dependabot[bot])
• bump @sveltejs/kit from 2.55.0 to 2.57.1 in the npm_and_yarn group across 1 directory (#2327 by @dependabot[bot])
• bump extractions/setup-just from 3 to 4 (#2331 by @dependabot[bot])
• bump pnpm/action-setup from 5 to 6 (#2333 by @dependabot[bot])
• bump actions/github-script from 8 to 9 (#2330 by @dependabot[bot])
• bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 in /backend (#2334 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.2 to 1.17.3 in /cli (#2332 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.13 to 6.1.14 (#2336 by @dependabot[bot])
• bump golang.org/x/mod from 0.34.0 to 0.35.0 in /backend (#2335 by @dependabot[bot])
• bump svelte from 5.55.0 to 5.55.3 (#2338 by @dependabot[bot])

Other

• add missing permissions for attestations(8362f97 by @kmendell)

Full Changelog: v1.17.3...v1.17.4

1.17.4

1.5.2 (2026-04-27)

Features

• Plugins: New composer-sidebar slot and ui:composer-sidebar permission — plugins can now render a panel on either side of the New Message dialog. See repos/subway-surfers for an example
• Plugins: Manifests can declare frameOrigins — a strictly-validated list of https://host origins the plugin needs to embed. The proxy reads the union from enabled plugins and merges it into the host CSP frame-src, so the host CSP no longer needs to know about specific embed providers
• Calendar/Contacts: JMAP sharing for calendars and address books
• i18n: Czech language support

Fixes

• Security: Validate URLs before outbound fetch
• Calendar: Prevent drag creation on touch events in the time grid
• Contacts: Emit RFC 9553 name kinds and decode QUOTED-PRINTABLE in vCard import (#224, #187)
• Mail: Hide preview line in compact density to match settings preview (#223)
• Proxy: Inline matcher for Next.js proxy and drop unnecessary Node.js runtime config
• i18n: Portuguese fixes for "ficheiro" and "contactos" variants