The Extended Stable channel has been updated to 146.0.7680.216 for Windows and Mac which will roll out over the coming days/weeks.

The Stable channel has been updated to 147.0.7727.137/138 for Windows/Mac  and 147.0.7727.137 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 30 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$7000][494352590] Critical CVE-2026-7363: Use after free in Canvas. Reported by heapracer on 2026-03-19

[N/A][493221953] Critical CVE-2026-7361: Use after free in iOS. Reported by Google on 2026-03-16

[N/A][503419515] Critical CVE-2026-7344: Use after free in Accessibility. Reported by Google on 2026-04-16

[N/A][503645680] Critical CVE-2026-7343: Use after free in Views. Reported by Google on 2026-04-17

[$16000][493955227] High CVE-2026-7333: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19

[N/A][495852034] High CVE-2026-7360: Insufficient validation of untrusted input in Compositing. Reported by Google on 2026-03-24

[N/A][496284494] High CVE-2026-7359: Use after free in ANGLE. Reported by Google on 2026-03-25

[N/A][496285281] High CVE-2026-7358: Use after free in Animation. Reported by Google on 2026-03-25

[TBD][496456528] High CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ on 2026-03-26

[N/A][497047552] High CVE-2026-7357: Use after free in GPU. Reported by Google on 2026-03-27

[N/A][497769116] High CVE-2026-7356: Use after free in Navigation. Reported by Google on 2026-03-30

[N/A][498746519] High CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google on 2026-04-01

[N/A][498809718] High CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google on 2026-04-01

[N/A][499023054] High CVE-2026-7352: Use after free in Media. Reported by Google on 2026-04-02

[N/A][499119490] High CVE-2026-7351: Race in MHTML. Reported by Google on 2026-04-02

[N/A][500018484] High CVE-2026-7350: Use after free in WebMIDI. Reported by Google on 2026-04-06

[N/A][500034684] High CVE-2026-7349: Use after free in Cast. Reported by Google on 2026-04-06

[N/A][500104917] High CVE-2026-7348: Use after free in Codecs. Reported by Google on 2026-04-06

[TBD][500387779] High CVE-2026-7335: Use after free in media. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po) on 2026-04-07

[TBD][500767595] High CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla on 2026-04-09

[TBD][500880819] High CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io on 2026-04-09

[N/A][501722605] High CVE-2026-7347: Use after free in Chromoting. Reported by Google on 2026-04-11

[N/A][502206907] High CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google on 2026-04-13

[N/A][502248774] High CVE-2026-7345: Insufficient validation of untrusted input in Feedback. Reported by Google on 2026-04-13

[TBD][502449857] High CVE-2026-7338: Use after free in Cast. Reported by Krace on 2026-04-14

[N/A][503889643] High CVE-2026-7342: Use after free in WebView. Reported by Google on 2026-04-17

[N/A][504586599] High CVE-2026-7341: Use after free in WebRTC. Reported by Google on 2026-04-20

[$4000][493957495] Medium CVE-2026-7339: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19

[$3000][497896137] Medium CVE-2026-7340: Integer overflow in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-30

[N/A][498285711] Medium CVE-2026-7355: Use after free in Media. Reported by Google on 2026-03-31

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.28

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.28

Changes

• allow filtering out members-only videos in subscriptions (closes #971) (5d96a58)

1.5.3 (2026-04-28)

New: Help shape Bulwark Webmail. Each instance now sends a lightweight daily heartbeat (version, platform, bucketed account counts, feature toggles - never message data or PII) so we can see which platforms and features actually get used and prioritize fixes where they matter most. You're in control: opt out any time from Admin → Telemetry or by setting BULWARK_TELEMETRY=off. Full schema in the privacy notice.

Features

• Telemetry: Anonymous instance telemetry, on by default. Reports schema version, platform, bucketed account counts, and feature toggles only - disable from the admin UI, with BULWARK_TELEMETRY=off, or by clearing the endpoint
• Telemetry: Track unique logins (HMAC'd per instance, 90-day retention) so the heartbeat can report bucketed account totals without storing usernames
• Plugins: Theme API v2 with token compiler and skin slot
• Plugins: Extension preview page and detailed extension info API
• Calendar: Right-click context menu on empty calendar space
• Docker: Persistent named volume for telemetry data so the instance id and admin's consent choice survive container upgrades

Fixes

• Security: Block telemetry endpoint from pointing at internal/loopback hosts (validation + DNS-rebind re-check at fetch time)
• Security: Harden plugin config, TOTP token exchange, and branding file serving
• Mail: Batch shortcuts now act on the multi-selection when one is present (#228)

Lately, there’s been quite a bit of chatter echoing across the highways of American Truck Simulator. From truck stops to weigh stations, drivers have been exchanging stories about a certain unfamiliar rig cruising the open road. Naturally, this caught our attention!

This mysterious machine hasn’t made things easy for those trying to get a closer look. With its smooth ride and surprisingly quiet presence, it seems to come and go before anyone can properly study it. The image we’ve seen so far leaves plenty of questions unanswered, but also sparks a lot of excitement.

What we’re seeing here is a truck that keeps its secrets well. Its modern design and refined presence hint at something built with both performance and driver comfort in mind. However, details remain limited, and no one has managed to get a closer, clearer look… yet.

Reports suggest that this mysterious newcomer could be a strong contender for both long-haul journeys and regional routes alike, offering versatility for all kinds of jobs across the vast American landscape. Beyond that, though, we’ll leave the speculation up to you.

Do you think you know what it might be?

We’ll be sharing more information when the time is right. Be sure to stay connected with us on our social media channels on X/Twitter, Facebook, BlueSky, YouTube, and Instagram, and by subscribing to our newsletter so you don’t miss any future updates! Until next time, happy haulin'!

[0.16.2] - 2026-04-28

If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.

Added

• OIDC: Fallback to userinfo endpoint when JWT token does not contain an email claim.
• S3: verifyAfterWrite option to verify that objects have persisted after writing.

Changed

• Allow HTTP to be used for configuring the server.

Fixed

• LDAP: Generate valid credentialId when there are password changes.
• TLS: Disable cipher suited option disables wrong ciphers.
• DNS Updater:
  • BunnyDNS: Use subdomain as name of record instead of FQDN.
  • RFC2136: Chunk TXT records.
• Skip invalid entries in log files.

Check binary attestation here

Bug fixes

• validation failed when creating git sync(d7a8bc1 by @kmendell)

Full Changelog: v1.18.0...v1.18.1

1.18.1

1.18.1

1.18.1

New features

• full control over prune options (#2372 by @kmendell)
• add UI to create and edit custom templates (#2351 by @mohamedhagag)
• add raw inspect tab to container detail view (#2368 by @GiulioSavini)
• universal environment dashboard (#2241 by @kmendell)
• add dedicated healthcheck tab for containers (#2384 by @kmendell)
• resource updates overview page (#2204 by @kmendell)
• add ability to deploy Docker Swarm stacks from Git repo with GitOps updates (#2412 by @SplinterHead)

Bug fixes

• handle deferred file close errors in docker build copy helper(3cdc1dd by @kmendell)
• datetime displays now respect the app's selected locale (#2366 by @GiulioSavini)
• guard volume file browser against non-mountable driver types (#2364 by @GiulioSavini)
• actually redeploy swarm stack when saving edits (#2365 by @GiulioSavini)
• set all api endpoints to use auth by default and explicitly remove auth for public endpoints (#2377 by @kmendell)
• add version label to environment cards (#2379 by @kmendell)
• always show save button on template pages (#2402 by @GiulioSavini)
• fall back to user cache dir when /tmp is not writable (#2408 by @GiulioSavini)
• skip image update checks for services with build config (#2403 by @GiulioSavini)
• tolerate undefined env vars in GitSync compose validation (#2380 by @GiulioSavini)
• pin trivy digest to 0.70.0(686248c by @kmendell)
• null user_id for env bootstrap keys + H2 support for registry fetches (#2370 by @GiulioSavini)
• incorrect conversion of linux runtime identity types (#2410 by @kmendell)
• pre-create volumes with driver_opts before stack deploy (#2407 by @GiulioSavini)
• show host CPU/RAM in System Overview instead of Arcane container limits (#2343 by @GiulioSavini)
• compose update indicator not refreshing when a new image is pulled(e367e1f by @kmendell)

Dependencies

• bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.0 in /backend in the go_modules group across 1 directory (#2383 by @dependabot[bot])
• bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 in /backend in the go_modules group across 1 directory (#2388 by @dependabot[bot])
• bump github.com/docker/compose/v5 from 5.1.2 to 5.1.3 in /backend (#2398 by @dependabot[bot])
• bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6 in /cli (#2391 by @dependabot[bot])
• bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 in /cli (#2390 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.3 to 1.17.4 in /cli (#2392 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/credentials from 1.19.14 to 1.19.15 in /backend (#2396 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.57.0 to 1.57.1 in /backend (#2400 by @dependabot[bot])
• bump github.com/aws/aws-sdk-go-v2/config from 1.32.14 to 1.32.16 in /backend (#2401 by @dependabot[bot])
• bump to go 1.26.2(f01ce6c by @kmendell)
• bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /backend in the go_modules group across 1 directory (#2417 by @dependabot[bot])

Other

• remove useless assignment of bytes variables(7b610e3 by @kmendell)
• use specific cosign id token(a5fd68a by @kmendell)
• use specific cosign id token(369c7b8 by @kmendell)
• use non-interactive mode for cosign(53f286b by @kmendell)
• use manual cosign key(0995de3 by @kmendell)
• use cosign v3 syntax(1b5dd7b by @kmendell)
• simplify version info dialog(dbad484 by @kmendell)
• redesigned login screen (#2389 by @kmendell)
• use arcane/tools image for volume browser and trivy scans (#2409 by @kmendell)

Full Changelog: v1.17.4...v1.18.0

1.18.0

1.18.0

1.18.0

Bug fixes

• truncate long image refs in container table (#2318 by @GiulioSavini)
• project icons not loading when used with yaml/env aliases (#2324 by @kmendell)
• surface actual compose load error instead of generic 'no compose file found' (#2326 by @mkaltner)
• project max depth not working for filesystem discovery (#2325 by @kmendell)
• Locale selector background was inconsistent (#2348 by @RJMurg)
• light mode contrast for container stats CPU/memory monitor (#2344 by @GiulioSavini)
• keep project build context as container path so local builder can stat it (#2346 by @GiulioSavini)
• preserve webhook URL query params in generic notification provider (#2345 by @GiulioSavini)
• surface registry fetch errors in GET /templates/registries (#2355 by @GiulioSavini)
• detect provider-level failures in generic webhook notifications (#2356 by @GiulioSavini)
• skip gitops-managed projects in filesystem cleanup (#2354 by @GiulioSavini)
• Update Projects button only updates project containers (#2289 by @GiulioSavini)
• svelte reactivity issues in project editors (#2329 by @kmendell)
• send notification on single container update (#2357 by @GiulioSavini)

Dependencies

• bump github.com/mattn/go-runewidth from 0.0.22 to 0.0.23 in /cli (#2303 by @dependabot[bot])
• bump prettier from 3.8.1 to 3.8.2 (#2313 by @dependabot[bot])
• bump @codemirror/view from 6.40.0 to 6.41.0 (#2306 by @dependabot[bot])
• bump @sveltejs/kit from 2.55.0 to 2.57.1 in the npm_and_yarn group across 1 directory (#2327 by @dependabot[bot])
• bump extractions/setup-just from 3 to 4 (#2331 by @dependabot[bot])
• bump pnpm/action-setup from 5 to 6 (#2333 by @dependabot[bot])
• bump actions/github-script from 8 to 9 (#2330 by @dependabot[bot])
• bump github.com/coreos/go-oidc/v3 from 3.17.0 to 3.18.0 in /backend (#2334 by @dependabot[bot])
• bump github.com/getarcaneapp/arcane/types from 1.17.2 to 1.17.3 in /cli (#2332 by @dependabot[bot])
• bump @tanstack/svelte-query from 6.1.13 to 6.1.14 (#2336 by @dependabot[bot])
• bump golang.org/x/mod from 0.34.0 to 0.35.0 in /backend (#2335 by @dependabot[bot])
• bump svelte from 5.55.0 to 5.55.3 (#2338 by @dependabot[bot])

Other

• add missing permissions for attestations(8362f97 by @kmendell)

Full Changelog: v1.17.3...v1.17.4

1.17.4

1.5.2 (2026-04-27)

Features

• Plugins: New composer-sidebar slot and ui:composer-sidebar permission — plugins can now render a panel on either side of the New Message dialog. See repos/subway-surfers for an example
• Plugins: Manifests can declare frameOrigins — a strictly-validated list of https://host origins the plugin needs to embed. The proxy reads the union from enabled plugins and merges it into the host CSP frame-src, so the host CSP no longer needs to know about specific embed providers
• Calendar/Contacts: JMAP sharing for calendars and address books
• i18n: Czech language support

Fixes

• Security: Validate URLs before outbound fetch
• Calendar: Prevent drag creation on touch events in the time grid
• Contacts: Emit RFC 9553 name kinds and decode QUOTED-PRINTABLE in vCard import (#224, #187)
• Mail: Hide preview line in compact density to match settings preview (#223)
• Proxy: Inline matcher for Next.js proxy and drop unnecessary Node.js runtime config
• i18n: Portuguese fixes for "ficheiro" and "contactos" variants

• View downloads
• View release notes

• View downloads
• View release notes

Changelog

Others

• cc605ac: Added shutdown group (#1732) (@mabbas007)
• b297f3a: Format pending countdown as MM:SS (#1727) (@phuonganh2601)
• af655d3: build(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend (@dependabot[bot])
• 6df1205: update deps (@seriousm4x)

Github Actions

• aabd8c1: gh-action: bump dependabot/fetch-metadata from 2 to 3 (@dependabot[bot])
• 24e218b: gh-action: bump pnpm/action-setup from 5 to 6 (@dependabot[bot])

VIENNA, Austria – April 27, 2026 – Enterprise software developer Proxmox Server Solutions (henceforth "Proxmox") today announced a new partnership with StorPool, which is now officially listed as a Proxmox solution provider. Through native integration with Proxmox Virtual Environment, StorPool brings high-performance block storage with very low and consistent latency to organizations running demanding production workloads on open-source infrastructure.

The integration combines the flexibility of Proxmox Virtual Environment with StorPool’s software-defined storage technology to support predictable I/O performance under load, efficient hardware utilization, and fast recovery from drive or server failures. The joint solution is designed for enterprises that require reliable primary storage for business-critical virtualized environments, whether deployed in hyperconverged or disaggregated architectures.

Short Quote StorPool
"StorPool takes Proxmox-powered environments to a new level in terms of speed (<0.1 ms latency), availability (99.999% of measured uptime) and efficiency (CPU, RAM & SSD consumption)," stated Boyan Ivanov, CEO, StorPool. "Now Proxmox users can optimize their environments, while having a robust enterprise-grade solution with 24/7 support, SLA and high-end storage capabilities."

Shorte Quote Proxmox:
"Our goal is to offer a powerful virtualization platform supported by a strong, enterprise-ready ecosystem," said Tim Marx, COO of Proxmox. "Through StorPool's native integration with Proxmox Virtual Environment, customers can have an additional high-performance storage option whenever their specific use cases require it. This expands flexibility for organizations running demanding workloads on open-source infrastructure."

Availability

Storpool on Proxmox Virtual Environment is available immediately. For more information, please visit https://storpool.com/proxmox-virtual-environment

###

About StorPool
StorPool has deployed hundreds of infrastructure solutions that help companies streamline their data centers and optimize their entire businesses. Our core focus is on developing StorPool Storage, a primary data storage software platform for service providers and enterprises. We design and provide solutions for virtualized environments, databases, and IaaS/SaaS platforms, delivering consistent low-latency performance and high availability using only standard hardware. Founded in 2011, StorPool serves customers globally across a range of industries. Learn more: https://storpool.com

About Proxmox
Proxmox provides powerful and user-friendly open-source server software. Enterprises of all sizes and industries use the Proxmox solutions to deploy efficient and simplified IT infrastructures, minimize total cost of ownership, and avoid vendor lock-in. Proxmox also offers commercial support, training services, and an extensive partner ecosystem to ensure business continuity for its customers. Proxmox Server Solutions GmbH was established in 2005 and is headquartered in Vienna, Austria. To learn more visit https://www.proxmox.com. You can also follow us on LinkedIn and on YouTube.

Contact: Michael Hiess Proxmox Server Solutions GmbH, marketing@proxmox.com

Finally releasing v4.0.

It was long overdue because we have been in beta for a long time. Thousands of companies and people have been using Coolify in production for 1-2 years.

Of course, this does not mean it has no bugs, it has many, but we fix them every day.

v5 is coming together, but we are not rushing it.

The biggest feature will be full scalability in the core, so you will have cloud infrastructure, but with your own servers.

I already have a working solution for the core and it is soo cool. Can't wait to start showing them to you.

By the way, doing v5 does not mean we won't continue to support v4.
We just want to push what is possible with servers and automations.

Thank you to everyone who helped me reach this point 💜

Let's make cool stuff! 🫰

So the release notes:

What's Changed

Security & Fixes

• Fixed Rallly service environment variable defaults (#9041, fixes #9615)
• Fixed Logto upgrade failure caused by missing database migration step (#9376)
• Fixed Jitsi Meet not working — rebuilt template with stable image and proper UDP/secrets (#9594, fixes #4813)
• Fixed Twenty deployment failure from unhealthy worker dependency (#9603, fixes #9574)
• Fixed mobile info popup not opening on tap and bubbling clicks to parent (#9809, closes #4834)
• Fixed SPA navigation race conditions causing stale state, broken buttons, and unsaved changes (#9742, closes #9732)

New Services & Templates

• Added Cap captcha service template (#9729)
• Re-enabled Plane service with updated docker-compose (#9641, fixes #8338)
• Updated Beszel and Beszel Agent to 0.18.7 (#9775)
• Disabled Cal.com template — project went closed source (#9776)

Improvements

• Added healthcheck to Langfuse worker (#9772)

What's Changed (Github)

• fix(navigation): replace wire:navigate.hover with wire:navigate by @andrasbacsai in #9742
• fix(helper): stop info icon click from propagating to parent on mobile by @andrasbacsai in #9809
• feat(service): disable calcom by @ShadowArcanist in #9776
• chore(service): update beszel to 0.18.7 by @ShadowArcanist in #9775
• feat(service): add healthcheck to langfuse-worker by @GauthierPLM in #9772
• feat(services): add Cap to templates by @tiagozip in #9729
• feat(service): enable plane by @DarkMaper in #9641
• fix(service): twenty fails to deploy due to dependency unhealthy by @ShadowArcanist in #9603
• fix(service): Jitsi Meet doesn't work by @miqonee in #9594
• fix(service): add missing database alteration step for Logto latest image by @FabioHAraujo in #9376
• fix(service): rally invalid next public url by @zupolgec in #9041
• v4.0.0 by @andrasbacsai in #9818

New Contributors

• @tiagozip made their first contribution in #9729
• @DarkMaper made their first contribution in #9641
• @miqonee made their first contribution in #9594
• @zupolgec made their first contribution in #9041

Full Changelog: v4.0.0-beta.474...v4.0.0

Docker Images

Docker images have been built and pushed:

Docker Hub:

• alexta69/metube:latest
• alexta69/metube:2026.04.26

GitHub Container Registry:

• ghcr.io/alexta69/metube:latest
• ghcr.io/alexta69/metube:2026.04.26

Changes

• implement time-clipped downloads (closes #969, replaces #907) (4f83174)
• title filter for subscriptions (closes #968) (91ee831)
• Bump aquasecurity/trivy-action in the github-actions group (d89a5dd)