If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
Changed
OAuth: Rework access tokens to an AES-256-GCM-SIV AEAD format that carries the account name for proxy routing.
Added more internal TLDs to the domain validation.
Fixed
MTA:
Sub-addressing with external directories returns 550 Mailbox not found.
Disabled aliases continue receiving messages.
JMAP for File Storage: FileNode/get returns a stale state string.
Make SieveSystemInterpreter.defaultReturnPath and MtaQueueQuota.match optional expressions.
Rate limiter panics when periods under 1 second are used.
CalDAV/CardDAV: Calendar events, contacts, calendars and address books deleted via JMAP do not write a vanished tombstone.
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160)
Health checks are cached by default and shared across multi-instance deployments
/server/health will return 404 for unauthenticated requests, use /server/ping for liveness checks
cache, rateLimiter and rateLimiterGlobal health checks have been replaced by a generic redis check using the redis: prefix
@directus/api
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
β¨ New Features & Improvements
@directus/api
Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
@directus/types
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
@directus/env
Allow disabling the health check endpoint via HEALTHCHECK_ENABLED or selectively disabled checked services via HEALTHCHECK_SERVICES (#27160 by @ComfortablyCoding)
Added support for translatable flow names via the existing $t: prefix and translation strings, matching the field/collection label pattern. The flow name input in the flow editor now exposes the translation picker. (#27472 by @khanahmad4527)
Removed unsupported json filter function from the studio (#27669 by @sourav-18)
@directus/api
Fixed nested deep query parameters being dropped when filters use dynamic variables (#27676 by @mazen-salah)
Fixed health check results not being shared in multi-instance settings. Restricted /server/health to authenticated users (#27160 by @ComfortablyCoding)
Fixed SingletonCollections incorrectly including core schema collections (#27196 by @kheiner)
@directus/constants
Consolidated URLs and emails into shared constants (#27641 by @HZooly)
support reading and publishing with Media-over-QUIC (#5815) Media-over-QUIC is a streaming protocol built upon cutting edge protocols (QUIC, HTTP3) and browser APIs (WebTransport, WebCodecs). It's slightly faster than WebRTC, has an advanced data recovery mechanism, it supports additional codecs (FLAC) and is less complicated to route. Check the documentation for instructions and details.
forbid H264 packetization mode zero (bluenviron/gortsplib#1072) Packetization mode zero requires allowing inefficient and brittle fragmented UDP packets, which we are not.
muxer: fix race condition when generating playlist (bluenviron/gohlslib#359) (bluenviron/gohlslib#360) Max age of playlist depends on segments, so it needs to be covered by the segment mutex.
code.cloudfoundry.org/bytefmt updated from v0.72.0 to v0.74.0
github.com/abema/go-mp4 updated from v1.5.0 to v1.6.0
github.com/bluenviron/gohlslib/v2 updated from v2.3.2 to v2.4.0
github.com/bluenviron/gortmplib updated from v0.3.2 to v0.4.0
github.com/bluenviron/gortsplib/v5 updated from v5.5.3 to v5.5.4
github.com/bluenviron/mediacommon/v2 updated from v2.8.3 to v2.9.0
github.com/go-git/go-git/v5 updated from v5.19.0 to v5.19.1
github.com/matthewhartstonge/argon2 updated from v1.5.3 to v1.5.4
github.com/pion/ice/v4 updated from v4.2.5 to v4.2.7
github.com/pion/transport/v4 updated from v4.0.1 to v4.0.2
github.com/pion/webrtc/v4 updated from v4.2.12 to v4.2.14
golang.org/x/crypto updated from v0.51.0 to v0.52.0
golang.org/x/net updated from v0.54.0 to v0.55.0
golang.org/x/sys updated from v0.44.0 to v0.45.0
github.com/pion/dtls/v3 updated from v3.1.2 to v3.1.3
github.com/pion/sctp updated from v1.9.5 to v1.10.0
github.com/pion/srtp/v3 updated from v3.0.10 to v3.0.11
github.com/pion/stun/v3 updated from v3.1.2 to v3.1.4
github.com/pion/turn/v5 updated from v5.0.3 to v5.0.7
github.com/quic-go/webtransport-go v0.10.0 added
golang.org/x/sync v0.20.0 added
github.com/dunglas/httpsfv v1.1.0 added
github.com/bluenviron/mediamtx-rpicamera updated from v2.5.7 to v2.6.0
Security
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
The OpenWrt community is proud to announce the newest stable release of the OpenWrt 24.10 stable series.
This release fixes several security issues, including security fixes in dnsmasq and the Linux kernel. We recommend everyone to upgrade.
The OpenWrt 24.10 series is in security maintenance (only security problems are fixed), with end of life (EoL) projected for September 2026. We recommend migrating to OpenWrt 25.12 before then.
Download firmware images using the OpenWrt Firmware Selector:
Main changes between OpenWrt 24.10.6 and OpenWrt 24.10.7
Only the main changes are listed below. See changelog-24.10.7 for the full changelog.
Security fixes
Linux kernel:
CVE-2026-43284 ("Dirty Frag"): local privilege escalation through the IPsec ESP code path. This only affects devices that use IPsec, i.e. that have kmod-ipsec / the esp4 or esp6 kernel modules loaded. Fixed by the Linux kernel update to 6.6.138.
CVE-2026-31431 ("Copy Fail"): in earlier releases this only affected users of the starfive target and users who had installed kmod-crypto-user. Fixed by the Linux kernel update to 6.6.137.
openssl: update to 3.0.20, fixing multiple security vulnerabilities
mbedtls: update to 3.6.6, fixing multiple security vulnerabilities
wolfssl: update to 5.9.1, fixing multiple security vulnerabilities
Device support
airoha: an7581: enable USB support
airoha: EN7581: fix PCIe initialization and add x2 lane (x2 link) support
airoha: add U-Boot support for EN7581/AN7583 boards
bcm53xx: align image names with the device-tree compatible (affects image selection in the Firmware Selector)
qualcommax: ipq807x: Linksys MX5300: fix MAC address labelling
ramips: mt7621: Xiaomi Mi Router AC2100: fix MAC address labelling
Various fixes and improvements
airoha: an7581: fix kernel panic in the I2S audio driver
airoha: fix Ethernet hardware offload on EN7581 (backported upstream airoha_eth patches, offload with GDM2 present)
lantiq: fix refcount and memory leak in the MTD partition parser
wifi-scripts: fix MAC address check in the mac80211 setup script
Core components update
Linux kernel: update from 6.6.127 to 6.6.141
ca-certificates: update from 20250419 to 20260223
mbedtls: update from 3.6.5 to 3.6.6
openssl: update from 3.0.19 to 3.0.20
wireless-regdb: update from 2026.02.04 to 2026.03.18
wolfssl: update from 5.7.6 to 5.9.1
Upgrading to 24.10
Sysupgrade can be used to upgrade a device from 23.05 to 24.10, and configuration will be preserved in most cases.
For for upgrades inside the OpenWrt 24.10 stable series for example from a OpenWrt 24.10 release candidate Attended Sysupgrade is supported in addition which allows preserving the installed packages too.
Sysupgrade from 22.03 to 24.10 is not officially supported.
There is no configuration migration path for users of the ipq806x target for Qualcomm Atheros IPQ806X SoCs because it switched to DSA. You have to upgrade without saving the configuration.
''Image version mismatch. image 1.1 device 1.0 Please wipe config during upgrade (force required) or reinstall. Config cannot be migrated from swconfig to DSA Image check failed''
User of the Linksys E8450 aka. Belkin RT3200 running OpenWrt 23.05 or earlier will need to run installer version v1.1.3 or later in order to reorganize the UBI layout for the 24.10 release. A detailed description is in the OpenWrt wiki. Updating without using the installer will break the device. Sysupgrade will show a warning before doing an incompatible upgrade.
Users of the Xiaomi AX3200 aka. Redmi AX6S running OpenWrt 23.05 or earlier have to follow a special upgrade procedure described in the wiki. This will increase the flash memory available for OpenWrt. Updating without following the guide in the wiki break the device. Sysupgrade will show a warning before doing an incompatible upgrade.
Users of Zyxel GS1900 series switches running OpenWrt 23.05 or earlier have to perform a new factory install with the initramfs image due to a changed partition layout. Sysupgrade will show a warning before doing an incompatible upgrade and is not possible. After upgrading, the config file /etc/config/system should not be restored from a backup, as this will overwrite the new compat_version value.
Known issues
LEDs for Airoha AN8855 are not yet supported. Devices like the Xiaomi AX3000T with an Airoha switch will have their switch LEDs powered off. This issue will be addressed in an upcoming OpenWrt SNAPSHOT and the OpenWrt 24.10 minor release.
5GHz WiFi is non-functional on certain devices with ath10k chipsets. Affected models include the Phicomm K2T, TP-Link Archer C60 v3 and possibly others. For details, see issue #14541.
Introduced VERSION_KEY_ constants and renamed main to published @alvarosabu (#27397)*
Backward Compatibility: You can now use ?version=published to resolve versions of the main item(s) via the version query parameter. For backward compatibility, ?version=main will continue to work.
Replaced status field with archived boolean in collection settings @alvarosabu (#27397)
Backward Compatibility: Existing collections with string-based status fields continue to work unchanged; newly created collections now default to a boolean "Archived" field instead of the string "Status" field
Deprecation for extensions: The globally registered VResizeable component has been deprecated. Extension authors using <v-resizeable> should migrate to @directus/vue-split-panel or their own implementation.
Updated type system, borders, and theme variables @formfcw (#27437)
Potential breaking change for theme extensions: headerShadow and sidebarShadow removed from LayoutConfig interface
Potential breaking change for theme extensions: boxShadow removed from header theme rules schema
Potential breaking change for theme extensions: sidebarShadow no longer exposed in layout wrapper state
Updated module navigation bar spacing and styling @HZooly (#27437)
Potential breaking change in theme extensions: Removed navigation.project.borderColor / navigation.project.borderWidth / navigation.project.background from theming. No action is required β these props will simply no longer have any effect.
Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397)
Breaking change β new behavior for versioned collections Published items in versioned collections are now locked. Edits must be made through the draft version.
Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437)
Potential breaking change for extensions: The rounded prop has been removed from v-button. Extensions using rounded will still render correctly but buttons will appear as rounded rectangles instead of circles. No functional impact.
Breaking Change: Relicensed from BUSL-1.1 to MSCL-1.0-GPL (Monospace Sustainable Core License, Version 1.0).
Updated header and navigation bar base design and merged their theme properties into a new shell scope @formfcw (#27437)
Potential breaking change for theme extensions: The theme properties navigation.background, navigation.backgroundAccent, navigation.borderWidth, navigation.borderColor, header.background, header.borderWidth, and header.borderColor have been removed and replaced by shell.background, shell.backgroundAccent, shell.borderWidth, and shell.borderColor.
Potential breaking change for theme extensions: Custom themes overriding any of these removed properties must migrate to the new shell scope. The corresponding CSS variables change from --theme--navigation--background, --theme--navigation--background-accent, --theme--navigation--border-*, --theme--header--background, and --theme--header--border-* to --theme--shell--background, --theme--shell--background-accent, and --theme--shell--border-*.
Removed the extra confirmation step from the publish flow @alvarosabu (#27487)
Breaking change β new publish flow: Publishing a version no longer shows an additional confirmation dialog after confirming changes in the comparison modal. The item is published directly once the changes are confirmed.
Potential breaking change for theme extensions: Removed section.toggle.borderWidth / section.toggle.borderColor in favor of section-level border tokens. No action is required β these props will simply no longer have any effect.
Potential breaking change for theme extensions: Removed sidebarShadow and headerShadow from defineLayout(). No action is required β these props will simply no longer have any effect.
Refactored focus ring from border/box-shadow to outline @formfcw (#27437)
Potential breaking change for theme extensions: borderColorFocus, boxShadowHover, and boxShadowFocus are removed from the theme schema β custom themes referencing these will lose their focus overrides silently
Potential breaking change for interface extensions that relied on --theme--form--field--input--border-color-focus or --theme--form--field--input--box-shadow-focus CSS variables will need to migrate to --theme--form--field--input--focus-ring-color
Updated header bar elements and deprecated the headline slot @formfcw (#27437)
Deprecation for extensions: The headline slot on the private view header bar has been deprecated. Existing content keeps rendering, but consumers using <template #headline> will now see a deprecation hint from Volar.
Changed the default of IP_TRUST_PROXY from true to false to harden the default deployment against IP spoofing. (#27607)
The IP_TRUST_PROXY default was changed from true to false. If you run Directus behind a reverse proxy and rely on X-Forwarded-For (or similar) headers for client IP resolution, you must now explicitly set IP_TRUST_PROXY to true or a more specific trust configuration.
@directus/app
Locked published items in versioned collections from editing and added a header action button to edit in the draft version @alvarosabu (#27397 by @formfcw)
Removed rounded buttons and adopted shared header action button across all views @formfcw (#27437 by @formfcw)
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
Added split-menu slot to v-button and migrate primary header actions @formfcw (#27437 by @formfcw)
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added version support to getItemRoute and update all callers to preserve version context when navigating to items from layouts and interfaces @alvarosabu (#27397 by @formfcw)
Added behavior to auto-switch to the draft version on the first edit of published item @alvarosabu (#27507 by @alvarosabu)
Updated VChip component to appear as a pill in form field label, group accordion, group tabs, kanban, deployment status, extension item, marketplace extension list item, marketplace extension banner, and user popover @formfcw (#27462 by @formfcw)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Deprecation for extensions: The actions:append slot in the header bar has been deprecated in favor of the new actions:primary slot for primary CTAs. Existing actions:append usage keeps rendering in the secondary-actions zone, but consumers will now see a deprecation hint from Volar.
Renamed "Promote" to "Publish" in version menu and disabled create version and published selection for item-less versions @alvarosabu (#27397 by @formfcw)
Refactored drawer header layout and simplified v-drawer API @formfcw (#27437 by @formfcw)
:::notice
Deprecation for extensions: The globally registered v-breadcrumb component has been deprecated. Extensions using <v-breadcrumb> keep rendering but will see a deprecation hint from Volar.
Deprecation for extensions: On v-drawer, the subtitle prop (use the title prop instead), the subtitle slot, the header:append slot, and the actions:append slot have been deprecated. Existing usage keeps rendering β actions:append content lands in the secondary-actions zone, and for primary CTAs in the drawer header use the new actions:primary slot. Consumers will see deprecation hints from Volar.
Potential Breaking change for theme extensions: The theme properties header.headline.foreground and header.headline.fontFamily have been removed. Custom themes overriding these properties should remove them. The corresponding CSS variables --theme--header--headline--foreground and --theme--header--headline--font-family no longer exist.
:::
Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
Ensured to switch to the draft version when visually editing an item of a versioned collection @formfcw (#27595 by @formfcw)
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
Updated header bar elements and deprecated the headline slot @formfcw (#27437 by @formfcw)
@directus/utils
Added MCP OAuth 2.1 authorization server. MCP clients (like Claude, Codex) can now authenticate via standard OAuth flow with PKCE instead of requiring a manually provisioned static token. Enable with MCP_OAUTH_ENABLED=true. Dynamic and client ID metadata registration were kept separately opt-in with MCP_OAUTH_DCR_ENABLED=true and MCP_OAUTH_CIMD_ENABLED=true. (#27069 by @hanneskuettner)
@directus/sdk
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
Changed back button behavior, always navigates one level up @HZooly (#27437 by @formfcw)
Fixed repeater interface ignoring per-field translations and $t: keys on sub-field labels, and added a "Field Name Translations" section to the sub-field configuration UI (#27374 by @khanahmad4527)
Fixed items not being selectable in the collection drawer when the Kanban layout is used while the parent item is opened in a version context @alvarosabu (#27427 by @alvarosabu)
Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/constants
Added DIRECTUS_DOMAIN constant and replaced hardcoded directus.io to directus.com using the new constant (#27417 by @ComfortablyCoding)
@directus/system-data
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/types
Added AI-powered translations to the translations interface, including glossary, style guide, and configurable default model settings derived from the enabled providers and allowed models. (#26940 by @bryantgillespie)
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/utils
Added JSON filtering, alias and sorting support (#26981 by @br41nslug)
@directus/ai
Updated the built-in OpenAI and Anthropic AI model lists to use the latest available API models. (#27602 by @hanneskuettner)
@directus/release-notes-generator
Ignored private workspace packages when generating release notes (#27637 by @licitdev)
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
The initial setup process has been changed. Instead of a built-in multi-step wizard, UpSnap now directs you to create your first superuser account via the server console logs, which contain a one-time setup link generated by PocketBase.
Once you've created the superuser using that link, return to the UpSnap welcome page and click Done to continue.
Why this was necessary
In versions prior to 5.4.0, the setup wizard allowed anyone with network access to register the first superuser account if they reached the setup page before the legitimate administrator. This meant that on a publicly reachable instance, an attacker could take ownership of the application before the real admin had a chance to complete the setup.
By moving account creation out-of-band to the server console, only someone with access to the server logs (i.e. the administrator) can complete the initial setup.
Note
If you have sucessfully completed the initial setup in the past you are not affected.
UpSnap allows setting custom shell commands for waking and shutting down devices. These commands support {{ DEVICE_IP }} and {{ DEVICE_MAC }} placeholders, which are replaced with the device's actual IP and MAC values before being executed on the server.
In versions prior to 5.4.0, these values were only changed by removing spaces before being substituted into the shell command. An attacker with permission to edit a device could set a malicious IP or MAC field, for example:
When the device was woken or shut down, the injected commands would execute on the server with the same privileges as UpSnap itself.
What was fixed
Backend: Before substituting {{ DEVICE_IP }} and {{ DEVICE_MAC }} into any shell command, UpSnap additionally validates both values using Go's standard net.ParseIP and net.ParseMAC. If a value somehow reaches this point in an invalid state, the command is rejected and an error is returned instead of executing.
Database: A new migration adds regex constraints to the ip and mac fields in the PocketBase schema (^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ for IP, ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ for MAC). Any write that bypasses the UI is rejected at the database level.
HTML input: The IP and MAC fields in the device form now have pattern attributes that enforce valid formats directly in the browser, preventing malformed values from being submitted in the first place.
Who is affected
Any instance where untrusted users had permission to create or edit devices. Users who are the sole administrator of their own instance and have not shared device-edit access are at lower risk.
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
Added 58 new DNS provider integrations (see dns-update crate for details).
DNS updater: Log DNS record types and values.
Sieve: Allow User Sieve scripts to access orcpt.
MTA: Log when messages are rejected or discarded by the spam classifier.
Feature: [#24879] [Plugin] Add methods for showing and hiding gridlines.
Feature: [#26327] Add βguests entertainedβ statistic to entertainers.
Improved: [#26374] Add higher resolution app icons for Android.
Improved: [#26386] Initial window scale and toolbar options on fresh Android installations.
Change: [#26476] Limit creation of new station styles to prepare for more flexibility with ride stations and entrances.
Fix: [#25581] Chart drawing issue on some platforms due to compiler optimisation.
Fix: [#26019] Inverted and Inverted Flying Roller Coaster large half loops glitch with the train and donβt draw in tunnels at some angles (original bug).
Fix: [#26183] The ride stat graph placeholder text is not drawn in the expected position.
Fix: [#26287] Game crashes upon connect/disconnect of physical keyboard.
Fix: [#26299] Single Rail S-Bend sprites donβt fully connect to the next track piece at certain angles.
Fix: [#26352] Large scenery items are incorrectly labelled as βbannersβ in the tile inspector.
Fix: [#26352] The label for path additions is using the wrong text colour in the tile inspector.
Fix: [#26360] Inverted Lay-down Roller Coaster helices are invisible when loading old saves.
Fix: [#26396] [Plugin] Socket interfaces were not closing properly and firing up correctly in parallel.
Fix: [#26410] Tiles with water can draw incorrectly when there is something underwater and nothing above water.
Fix: [#26418] Game crashes when a stack overflow occurs in plugin code.
Fix: [#26419] Drop count & negative gβs stat requirements for Flying Roller Coaster donβt get nullified by having an inversion.
Fix: [#26421] Wrong scenery tab highlighted when more than 64 scenery groups are selected.
Fix: [#26425] Benches donβt reduce watching spots from 4 to 2 while other path additions do (should be reversed).
Fix: [#26432] Guests choose to head for rides they have already ridden if they donβt have a map.
Fix: [#26492] Drag tool shows per-tile error instead of total cost when running out of money midway through placement.
Fix: [#26510] Displayed air time overflows after 655.35 seconds instead of the internal maximum of 1966.05 seconds.
fix crash when stream is closing (bluenviron/gortsplib#1062) when ServerStream.Close() is called, stream readers might have their setuppedTransport set to nil, causing the server to crash. Prevent this.
fix race condition when tearing down connection (bluenviron/gortsplib#1063) ServerConn.session was not properly protected.
fix error 500 caused by in-stream params (bluenviron/gohlslib#355) (#5728) (#5745) PR bluenviron/gohlslib#344 caused a regression. Many codecs (AV1, H264, H265, VP9) use in-stream parameters, that were not taken into consideration anymore when generating init.mp4 and playlists. This has been solved.
support changing text overlay dynamically (#5270) (#5748)
Dependencies
code.cloudfoundry.org/bytefmt updated from v0.70.0 to v0.72.0
github.com/Masterminds/semver/v3 updated from v3.4.0 to v3.5.0
github.com/bluenviron/gohlslib/v2 updated from v2.3.1 to v2.3.2
github.com/bluenviron/gortmplib updated from v0.3.1 to v0.3.2
github.com/bluenviron/gortsplib/v5 updated from v5.5.2 to v5.5.3
github.com/datarhei/gosrt updated from v0.10.0 to v0.11.0
github.com/fsnotify/fsnotify updated from v1.10.0 to v1.10.1
github.com/go-git/go-billy/v5 updated from v5.8.0 to v5.9.0
github.com/go-git/go-git/v5 updated from v5.18.0 to v5.19.0
github.com/gookit/color updated from v1.6.0 to v1.6.1
github.com/matthewhartstonge/argon2 updated from v1.5.2 to v1.5.3
github.com/pion/rtp updated from v1.10.1 to v1.10.2
golang.org/x/crypto updated from v0.50.0 to v0.51.0
golang.org/x/net updated from v0.53.0 to v0.54.0
golang.org/x/sys updated from v0.43.0 to v0.44.0
golang.org/x/term updated from v0.42.0 to v0.43.0
github.com/cyphar/filepath-securejoin updated from v0.4.1 to v0.6.1
github.com/pjbgf/sha1cd updated from v0.3.2 to v0.6.0
golang.org/x/text updated from v0.36.0 to v0.37.0
github.com/bluenviron/mediamtx-rpicamera updated from v2.5.6 to v2.5.7
Security
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
Changelog
Bug fixes
7b8bcfa: fix: switch cron-parser to named import (CronExpressionParser) (#1737) (@codeanish)
CVE-2026-5172: buffer overflow in extract_addresses() on crafted resource records.
Linux kernel: CVE-2026-43284 ("Dirty Frag") β local privilege escalation via the IPsec ESP path. Only relevant on devices with kmod-ipsec / esp4/esp6 loaded. Fixed via the 6.12.87 kernel update.
ath79: Sitecom WLR-7100 (X7 AC1200): fix MAC address assignment, wire up 5 GHz WLAN LED, and move to the tiny target to free ~800 KiB of flash
ipq40xx: Pakedge WR-1: restore lost band label on the WLAN LEDs
mediatek: filogic: Cudy WR3000E/H/P/S v1 and WBR3000UAX v1 (ubootmod NAND builds): disable NMBM, which was mistakenly enabled and prevented the NAND from being used correctly
microchipsw: fix LAN8814 QSGMII soft reset
WiFi fixes and improvements
wifi-scripts: fix basic_rate mapping in the wpa_supplicant ucode generator
mac80211: update backports package to 6.18.26 (general stability improvements)
Core component updates
Linux kernel: update from 6.12.85 to 6.12.87
mac80211: update from 6.18.7 to 6.18.26
Upgrading to 25.12.4
Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.
Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.
Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518
Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe
TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).
Meraki MX60: Direct sysupgrade to 25.12.4 is not possible without manual preparation β meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.
Known issues
Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan β check and update your network configuration after upgrading.
Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
is_ip_in_cidr expression function for CIDR matching.
Changed
Bump mail-auth to 0.9 (which bumps hickory-resolver to 0.26).
Deprecated RFC2136 SIG(0) support as it is no longer supported by hickory.
Fixed
JMAP:
Patching ids containing digits in JSON Pointers fails.
Patching nested objects with null values fails.
External directories:
SQL: Return Failed instead of Error when the query returns no results.
LDAP: Impersonation fails when the user has not logged in before.
Network: Attempt binding to IPv4 when binding to IPv6 fails with EAFNOSUPPORT error.
Bootstrap: Timeout after 30 seconds when probing the data store.
HTTP: Use permissive CORS headers for .well-known endpoints.
ACME:
Include apex domains when requesting certificates for subdomains.
Use the public suffix list to determine the zone name when no origin is provided.
MTA:
Allow rescheduling recipients with permanent failures.
Process reports using original RCPT before rewriting.
Autodiscover v2 endpoint unreachable.
DNS update (via dns-update crate):
OVH + Google Cloud DNS: Fix FQDN handling for MX and SRV records.
Route53: Fix changeset error resolution.
deSEC: Use empty subname for apex records instead of @, which the API rejects.
Cloudflare: Wrap TXT record content in double quotes (RFC 1035) to suppress dashboard warnings.
iCalendar/JSCalendar (via calcard crate):
Support STATUS:CANCELLED mapping from VTODO to JSCalendar.
UpSnap is, and always will be, free and open source software.
If someone is asking you to pay money for access to UpSnap binaries, source code, or licenses, you are being scammed.
The official and only trusted source for UpSnap is this repository (and its linked releases).
Do not pay third parties for something that is provided here for free.
Major version: new installs default to auto adaptive colours (matching web based draw.io); upgrades preserve simple. Change via Extras β Configuration.
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
Changed
Fixed
Live tracing in community and OSS versions.
Timezone changes from the AccountSettings object return invalidProperties.
mail-parser panic with certain messages containing corrupted attachments.
Pagination by anchor for queued messages, tasks and metrics.
Spam filter: Use original instead of rewritten RCPT on checks.
JMAP:
References in nested objects not resolved.
AddressBook/query fetches wrong resources.
Import tool fails to restore registry entries.
FDB: Allow multiple FoundationDB instances in the same process.
Autoconfig: Return %EMAILADDRESS% when no email address is provided.
Quota: Include Sieve scripts in quota recalculations.
Main changes between OpenWrt 25.12.2 and OpenWrt 25.12.3
Only the main changes are listed below. See the full changelog for details.
Security fixes
Linux kernel: fixes CVE-2026-31431 ("Copy Fail"). In earlier releases this only affected users on the starfive target and users who had installed kmod-crypto-user.
mbedtls: update to 3.6.6 (multiple CVE fixes)
OpenSSL: update to 3.5.6 (multiple CVE fixes)
wolfSSL: update to 5.9.1 (multiple CVE fixes)
Device support
New devices supported in 25.12.3:
mediatek: filogic: ASUS RT-AX52 PRO
mediatek: filogic: D-Link AQUILA PRO AI E30
mediatek: filogic: Huasifei WH3000 Pro (NAND variant)
qualcommax: ipq50xx: Xiaomi AX6000: enable PCIe1 for QCA9887
qualcommax: ipq807x: Linksys MX5300: add label MAC assignment
ramips: Yuncore CPE200: fix EEPROM size
ramips: mt7621: fix reset hang
ramips: Wavlink WL-WN575A3: fix EEPROM size for 5 GHz WiFi
ramips: Xiaomi Mi Router 4C: fix WAN LED GPIO (#18578)
WiFi fixes and improvements
wifi-scripts: fix incorrect erp_domain and fils_cache_id values generated by the ucode-based config script (#21768)
wifi-scripts: add missing bridge_isolate and network_vlan fields to the ucode schema (#22620)
wifi-scripts: add missing iface and other fields to the ucode station/vlan schema (#22165)
wifi-scripts: add EHT (WiFi 7) rates to set_fixed_freq
Networking and system fixes
mbedtls: backport upstream patches to fix TLS 1.2 client issues β fixes a regression that broke DDNS updates and other TLS 1.2 client connections; the regression was introduced in mbedtls package updates shipped after the 25.12.2 release (#22874)
base-files: sysupgrade: fix -u option (skip default configuration) which was broken with apk
base-files: sysupgrade: fix -f (custom backup) when the path contains spaces
base-files: sysupgrade: update backup exclusion list
base-files: use DISKSEQ instead of MAJOR/MINOR for stable disk identification (MAJOR/MINOR are not sequential)
lantiq: fix mtdparsers refcount and memory leak
uqmi / umbim: introduce devpath option for selecting cellular modems by USB device path
kernel: add kmod-vsock and kmod-vsock-virtio for VM guests (vsock communication)
Core component updates
Linux kernel: update from 6.12.74 to 6.12.85
ca-certificates: update from 20250419 to 20260223
linux-firmware: update from 20251125 to 20260221
mbedtls: update from 3.6.5 to 3.6.6 (security fixes)
OpenSSL: update from 3.5.5 to 3.5.6 (security fixes)
wireless-regdb: update from 2026.02.04 to 2026.03.18
wolfSSL: update from 5.8.4 to 5.9.1 (security fixes)
xdp-tools: update from 1.4.3 to 1.6.3
Upgrading to 25.12.3
Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.
Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.
Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518
Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe
TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).
Meraki MX60: Direct sysupgrade to 25.12.3 is not possible without manual preparation β meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.
Known issues
Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan β check and update your network configuration after upgrading.
Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344
Non-VGA option ROM dispatch - CSMWrap now enumerates legacy x86 option ROMs from non-VGA PCI devices (NIC PXE ROMs, RAID/storage ROMs, etc.) and dispatches them through the CSM, mirroring what a real CSM would do.
$PIR table synthesis - A PCI BIOS Specification 2.1 $PIR table is now synthesized from ACPI _PRT/_PRS and handed to SeaBIOS so legacy OSes can get non-ACPI PCI IRQ routing.
Working APM shutdown and reboot - APM Set Power State (off/reboot) now trampolines through the helper core into UEFI's ResetSystem runtime service. Previously these calls were no-ops.
CPU visibility configuration - Three new csmwrap.ini options (system_thread, cpu_allowlist, cpu_blocklist) let you pin the BIOS proxy helper core to a specific APIC ID and hide arbitrary APs.
Auto-select GPU with working OpROM - When the primary GPU's option ROM can't be claimed (VGA arbitration fails, no legacy image, oversized ROM), CSMWrap now falls through to the next VGA-class device instead of giving up.
And more!
Bug Fixes
Many bug fixes and improvements across PCI, APIC/x2APIC/MP tables, AMD MTRR and PAM unlocking, AMD IOMMU teardown order, GOP/VGA arbitration, e820 generation, and more.
SeaBIOS
Many bug fixes and improvements across xHCI/EHCI/OHCI/UHCI, AHCI/NVMe/eMMC, and more.
If you are upgrading from v0.16.x, replace the binary (or run docker pull). If you are upgrading from v0.15.x and below, please read the upgrading documentation for more information on how to upgrade from previous versions.
Added
Changed
Replaced STALWART_HTTPS_PORT with STALWART_PUBLIC_URL.
App Passwords now begin with app_ instead of app to avoid issues with some clients that do not support spaces in passwords.
Fixed
Directory:
Invalidate caches when group memberships change on an external directory.
Updated the token field on the user detail page to require confirmation before regenerating or removing a token, and saved those changes immediately without requiring a page-level save. (#27108 by @LZylstra)
@directus/api
Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
@directus/env
Added opt-in must-revalidate and ETag headers for assets via ASSETS_CACHE_REVALIDATE env var (#27027 by @gaetansenn)
@directus/sdk
Added a force option to schema apply to bypass hash check (#27136 by @Nitwel)
π Bug Fixes & Optimizations
@directus/app
Fixed UI freeze when navigating items with WYSIWYG translations for non-admin users (#27154 by @gaetansenn)
Fixed selection not being cleared after running a manual flow from the collection list view sidebar (#27330 by @kropsi)
Fixed "Save as copy" in the file library throwing a 403 Forbidden error (#27181 by @sanskar-soni-9)
Fixed user token not being displayed after generation when collaboration is enabled (#27319 by @LZylstra)
Prevented filter popup being closed when reordering filters (#27324 by @HZooly)
Fixed icon flash in navigation sidebar for bookmarks without an icon (#27329 by @HZooly)
Migrated @directus/visual-editing into the monorepo (#27157 by @formfcw)
prevent code injection in case of MTX_QUERY in hooks (#5707) When MTX_QUERY is used explicitly in hooks, for instance "curl http://something/?$MTX_QUERY", it can be used to inject arbitrary commands. MTX_QUERY is now url-encoded to prevent any abuse regardless of the configuration.
use temporary redirects instead of permanent redirects (#5710) this prevents unwanted caching.
Merge request->controls instead of overwriting (bluenviron/mediamtx-rpicamera#97) libcamera 0.7.0 is more strict about changing controls; assignment is no longer allowed since raspberrypi/libcamera@310cd8b Instead, we use the merge call with overwrite.
Security
Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.
Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify checksums of binaries by downloading checksums.sha256 and running:
Log in
