❌

Normale weergave

v12.1.0

1 Juli 2026 om 22:01

⚠️ Potential Breaking Changes

  • @directus/api
    • Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)
    • Fixed failed TUS file replacements leaving orphaned file records. Hardened upload path validation to prevent writes to extension and temporary storage directories (#27803 by @br41nslug)
    • Updated GraphQL WebSocket restrictions to match the HTTP endpoint and hid validation hints when introspection is disabled (#27801 by @br41nslug)
    • Added CORS_ORIGIN checks for websocket connections (#27812 by @br41nslug)
  • @directus/specs
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)
  • @directus/sdk
    • Removed /utils/hash/generate and /utils/hash/verify endpoints (#27774 by @br41nslug)

✨ New Features & Improvements

πŸ› Bug Fixes & Optimizations

  • @directus/app
    • Restored pre-v12 back button behavior: returns to the previously visited item/page when navigating via a relation, and to the collection listing when landing on an item directly (#27799 by @robluton)
    • Fixed the public page foreground image rendering side-by-side with the shader background instead of overlaying it (#27782 by @alvarosabu)
    • Added clearable indicator to input hash field (#27729 by @robluton)
    • Added lazy loading of social icons on v-button (#27724 by @alvarosabu)
    • Bumped version of @directus/license package (#27785 by @AlexGaillard)
    • Fixed array indexing (e.g. field[0] or field.0) in display and preview URL templates, so a template like {{ categories[0].name }} now resolves to the indexed value instead of rendering empty (#27773 by @dstockton)
    • Fixed a stored XSS vulnerability where the project color could break out of the generated favicon's SVG markup and inject arbitrary HTML (#27810 by @br41nslug)
    • Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
    • Added interface settings for collection status field (#27781 by @robluton)
  • @directus/api
  • @directus/extensions-sdk
  • @directus/system-data
  • @directus/composables
  • @directus/validation
    • Fixed an internal server error when validating out-of-range integer values (#27321 by @sourav-18)
  • @directus/env
    • Limited sensitive system mutations defined by GRAPHQL_SINGLE_USE_MUTATIONS to single use (#27801 by @br41nslug)
  • @directus/utils
    • Classified the embedded IPv4 of IPv6 transition forms (IPv4-compatible, NAT64, 6to4) in IpBlocklist.checkAddress so they cannot bypass an IPv4 deny rule (#27698 by @joeltco)

πŸ“¦ Published Versions

  • @directus/app@16.2.0
  • @directus/api@37.0.0
  • @directus/composables@11.5.1
  • create-directus-extension@12.1.1
  • @directus/env@6.1.0
  • @directus/extensions@4.0.1
  • @directus/extensions-registry@4.0.1
  • @directus/extensions-sdk@18.0.1
  • @directus/memory@4.0.1
  • @directus/pressure@4.0.1
  • @directus/specs@15.0.0
  • @directus/storage-driver-azure@13.0.1
  • @directus/storage-driver-cloudinary@13.0.1
  • @directus/storage-driver-gcs@13.0.1
  • @directus/storage-driver-s3@13.0.1
  • @directus/storage-driver-supabase@4.0.1
  • @directus/system-data@4.5.1
  • @directus/themes@2.0.1
  • @directus/utils@13.5.1
  • @directus/validation@3.0.1
  • @directus/sdk@23.0.0

  •  

Distribution Release: ArchBang Linux 010726

1 Juli 2026 om 20:20
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The ArchBANG project has released a new version of ArchBANG Linux with another radical change - it has replaced labwc with the Mango Wayland compositor. The new version, labelled as 010726, comes with both graphical and command-line system installers: "Pleased to announce the release of ArchBang running the....
  •  

2026.7: Automations that speak your language

1 Juli 2026 om 02:00

Tip

Don’t forget to join our release party live stream on YouTube on July 1, 2026, at 20:00 GMT / 12:00 PT / 21:00 CET!

Home Assistant 2026.7! πŸŽ‰

This is one of those releases I’ve been looking forward to for a long time. My favorite by far is what we’ve done with automations. Purpose-specific triggers and conditions graduate from Labs and become the new default for everyone. πŸŽ‰

It comes down to something we’ve been chasing for years: more power, less complexity. Instead of starting from Home Assistant’s internals, which entity, which state, which kind of trigger, you start from what you actually want your home to do. When the bedroom drops below 18Β°C, turn on the heating. That’s it. No technical traps, no quirks to memorize. And because integrations can teach the automation engine their own triggers and conditions, it only gets better from here. All of it right there in our beautiful user interface.

The nice thing is, nothing breaks. All your existing automations keep working, worry-free. We’ve also written tons of great documentation explaining every single trigger, condition, and action, with examples to learn from. And if you’re one of those people who prefers writing automations in YAML instead of the UI, you’re in for an amazing experience too. User experience is not a synonym for β€œthe UI”. YAML users deserve good user experience too.

But honestly? I’ve got a second favorite this release, and that surprised me a little. Activity, what many of you still know as the logbook, has been rebuilt into a slick and clean timeline. 😍 It reads top to bottom like a feed, groups entries by day, and finally speaks the same language as the rest of Home Assistant. I keep opening it just to look at it.

And that’s just the start. There’s a new update-all button, dedicated panels for infrared and radio frequency, an overhauled ZHA Zigbee device management, and 10 new integrations from our community.

One more thing before you dive in: the Open Home Foundation is exhibiting at IFA Berlin for the first time, from September 4 to 8, 2026. We’d love to meet you there, so come say hello. There’s also a community meetup on Sunday, September 6, and everyone’s welcome. You can read all about it here.

Enjoy the release!

../Frenck

A huge thank you to all the contributors who made this release possible! And a special shout-out to @piitaya, @sairon, and @agners who helped write the release notes this release. Thanks to them, these release notes are in great shape. ❀️

Creating automations just became easier, natural and more powerful

This is, hands down, one of the biggest and best changes we’ve made to the automation editor in years. It has been roughly eight months in the making, built and refined release after release by a lot of people, and shaped by a mountain of your feedback along the way. As of this release, it is here for everyone, and we could not be more excited to finally hand it over.

Why are we this excited? Because automations have always asked you to meet Home Assistant halfway. Some people still talk about it like you need YAML, a coding background, and a free evening just to automate a light. That hasn’t been true for a while, and this release takes the biggest step yet toward closing that gap for good.

Back in Home Assistant 2025.12, we introduced purpose-specific triggers and conditions in Settings > System > Labs. Every release since has added more of them and polished the experience. This release, they graduate: this new way of building automationsAutomations in Home Assistant allow you to automatically respond to things that happen in and around your home. [Learn more] is out of Labs and becomes the new default for everyone. πŸŽ‰

It is tempting to read this as a nicer set of menu options. It is much more than that. It is a different starting point: you describe what you want your home to react to, rather than starting from the technical building blocks underneath.

Start with what you want, not how it works

An automation engine thinks in primitives. People don’t. You think β€œwhen the front door opens”, β€œwhen the last person leaves”, or β€œwhen a battery runs low”.

The old path started somewhere else, with Home Assistant’s internals. Which entity? Which state? Does it become on, detected, home, or not_home? Do I need a state trigger, a numeric state trigger, a device trigger, or a system event? If you know Home Assistant well, those questions are second nature. If you don’t, they are the wall you hit before you even start. 😀

The new triggers and conditions speak the language of the thing you care about. When the bedroom drops below 18Β°C, turn on the heating. You don’t think about numeric state triggers, attributes, or units. You pick Temperature crossed threshold and say what matters. Or Battery low: no need to know whether a device reports its battery as a percentage sensor, or what counts as β€œlow”. You build around the moment itself.

Screenshot of the automation editor showing the new purpose-specific triggers, described by what they do rather than their underlying state.

Built around areas, not one device or entity at a time

The new building blocks also support targets, and that is a bigger deal than it sounds.

You can build an automationAutomations in Home Assistant allow you to automatically respond to things that happen in and around your home. [Learn more] around motion in the living room, instead of around one specific motion sensor. One sensor in that room, fine. Ten, also fine. Swap one out next year, add another, or remove the one that kept seeing the cat, and the automation keeps describing the same intent: motion in the living room.

When motion is detected outside, turn on the lights outside. The trigger points at the outside areaAn area in Home Assistant is a logical grouping of devices and entities that are meant to match areas (or rooms) in the physical world: your home. For example, the living room area groups devices and entities in your living room. [Learn more], the action points at the outside lights. Change which sensors or lights live there later, and the automation follows along. It reads like a sentence, and it is one less fragile list of entities to maintain forever.

Screenshot of an automation built around motion in an area instead of a single sensor entity.

More than friendlier wording

Here is the part that is easy to miss: this isn’t just a friendly wrapper around the old triggers.

These triggers and conditions can be extended by integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more], including custom and community ones. Integrations have long been able to add their own actions; now they can add their own triggers and conditions too. Picture a washing machine integration offering a plain β€œlaundry is done” trigger, with no need to know which state value or attribute actually means finished. An integration knows things you would otherwise have to figure out yourself: which state changes matter, which to ignore, which edge cases are normal, and what a useful automation moment looks like in its world.

A sensor can tell you the electricity price. The integration can tell you when the price is lowest today. Instead of everyone rebuilding the same template, or learning the quirks of one particular heat pump, EV charger, or alarm panel, the integration can offer the triggers, conditions, and actions that make sense for it. That turns the automation engine into something integrations can teach. It is where β€œmore power, less complexity” stops being a slogan.

No technical traps

There is a quieter benefit too: No technical traps. πŸ’ͺ

With these new triggers, you don’t need to care about unknown or unavailable states. The building block handles those in the way that makes sense for its purpose. The moment you have to decide whether one specific automation should ignore unavailable, wait it out, or treat it as false, we have already made you think about the wrong thing.

Event entities are another classic. Automate around one with a plain state trigger and you may discover it doesn’t fire the second time the same event happens, because the state didn’t change the way you expected. A purpose-specific trigger expresses the event directly, so that whole class of surprise simply goes away.

Screenshot of the automation editor reacting to an event entity directly, instead of working around its state.

Your automations are safe, and YAML isn’t going anywhere

Before anyone opens a forum thread in mild panic: no, you don’t need to rewrite anything.

Existing automations keep working. Generic triggers, conditions, templates, and YAML all keep working. The new triggers and conditions are simply the better starting point for the next automation you build, and a nicer option when you decide to improve an old one. It is not a migration tax.

And this isn’t Home Assistant walking away from YAML. We put real effort into making the new building blocks read well in YAML too, the same way we did when automations moved to triggers, conditions, and actions and swapped service for action. If text is your interface, it should feel just as natural. If you use YAML to write automations, we are sure you’ll love the new triggers and conditions just as much!

Documentation is part of the feature

We also did the less flashy work, which on a project like this is often the work that matters most. Every trigger, condition, and action now has its own documentation page over at triggers, conditions, and actions. Each one explains what the building block is, when you would reach for it, how to use it from the automation editor, how it looks in YAML, and includes real examples to learn from.

Screenshot of a trigger documentation page, explaining what the building block does, how to use it in the UI, and how it looks in YAML.

There is a lot of it, on purpose. Approachability is not only about a friendlier button in the UI. It is also about helping you understand what that button does, and when to use it. Good documentation is product work, even when it does not get its own screenshot.

There is an AI angle here too, and it belongs in the right place: this is for people first. But many of you already use AI to help build automations, and clearer, well-described building blocks give those tools much better material to work with. Their suggestions can become more consistent, because there is less Home Assistant-specific guesswork to invent. It will not happen overnight, since most models are trained on older examples and may keep suggesting the old patterns for a while. The better the documentation, the faster both people and machines pick up the new way.

Haven’t tried building automations this way yet? Open the automation editor and start with what you want to happen. We think you’ll like where it begins. 😎

Activity logbook

Activity, the feature many of you still know as the logbook, has always been there to answer a simple question: what happened, and when? The way it answered, though, was a flat list of full sentences. β€œLiving room lamp turned on.” β€œAuto lights was triggered by motion.” Every row was a complete sentence, the device name was repeated on every line, and it used its own wording (β€œturned on”, β€œchanged to”) that didn’t quite match how states are written everywhere else in Home Assistant. Reading back a busy day meant reading every single line.

This release rebuilds it from the ground up into a timeline.

Screenshot of the redesigned Activity timeline, with entries grouped by day on a vertical rail with colored state dots.

Each entry now sits on a vertical rail: the time on the left, a colored dot with the entityAn entity represents a sensor, actor, or function in Home Assistant. Entities are used to monitor physical properties or to control other entities. An entity is usually part of a device or a service. [Learn more]’s icon, and the text beside it. You read it top to bottom, like a feed. Entries are grouped by day, with Today, Yesterday, and dated headers, so you never lose track of where you are in time. The dot takes on the state color too, so an on and an off are easy to tell apart at a glance, without reading a word.

It also shows only the context you actually need. The timeline trims the name down to where you’re looking: on an entity page you just see the value, on a device page the device name is dropped, and on an area page the area is left out. No more reading the same device name on every row.

A few more touches make it feel right at home:

  • The same words as the rest of the app. State text now comes from the backend, the same source the rest of Home Assistant uses, so it reads identically everywhere and in every language. No more logbook-only verbs.
  • It shows the cause. When something was set in motion by a person, you see their avatar. An automation shows what triggered it, and an integration shows its brand icon. The β€œwhy” sits right next to the β€œwhat”.
  • Time the way you want it. In the compact views, like the more info dialog, device and area pages, and on cards, select the timestamp to flip between absolute time and a relative β€œ2 hours ago”. A quick glance when you want it, exact precision when you need it.
Screenshot of the compact Activity timeline inside a more info dialog, showing the cause icon and trailing time.

The same component powers all of this, so the timeline stays consistent whether it’s filling the full Activity page on a wide screen or tucked into a card on your phone. Wide screens get the full timeline with the time column and icons; narrow screens and cards get a compact version with the cause icon and the time trailing the entry.

Update all

We’ve all been there. You open Settings > Updates after being away for a bit, and there it is: a wall of pending updates. A new Home Assistant release, a handful of apps, that one integration, and seven ESPHome devices that all decided to ship new firmware in the same week. Keeping up used to mean working down that list one entry at a time, selecting, waiting, selecting the next, and repeating until your finger got tired.

Not anymore. This release reorganizes the updates page around how you actually think about your system, and adds a single button that does the heavy lifting: Update all.

Screenshot of the redesigned Updates page showing pending updates grouped into cards.

Instead of one long, flat list, your pending updates are now grouped into clear cards, each covering a part of your setup:

  • Home Assistant sits right at the top, with Core, the Operating System, and the Supervisor. These run the core of your system, so they’re kept on their own, without an Update all button. You apply them yourself, on purpose.
  • Integrations with several pending updates get a card of their own. Those seven ESPHome devices? Bundled together, so a single selection brings them all up to date. The same goes for a stack of HACS integrations waiting on a new version.
  • Integrations gathers the remaining one-off integration updates into one tidy card.
  • Apps does the same for your apps (used to be called add-ons).
  • Skipped updates show up in their own card once you turn on Show skipped updates. Keeping them separate means they never get swept along by an Update all you didn’t intend for them.

Select Update all on any card, and Home Assistant takes it from there, updating everything in that group in one go. No ticking boxes, no confirmation dialog to step through, just done.

It’s a small change to a page you only visit now and then, but it turns a recurring chore into a couple of taps.

Integrations

Thanks to our community for keeping pace with the new integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more] and improvements to existing ones! You’re all awesome πŸ₯°

New integrations

We welcome the following new integrations in this release:

  • Aqvify, added by @astrandb, launching at πŸ† platinum quality
    Monitor your Aqvify water well and tank sensors in Home Assistant. The integration connects through Aqvify’s public cloud API and exposes sensors for your well water level, so you can keep an eye on your supply and build automations around it.

  • Chef iQ, added by @Invader444
    Read the temperatures from your Chef iQ wireless cooking probes directly over Bluetooth. No cloud account, base station, or hub is needed: the probe broadcasts its readings and Home Assistant listens passively.

  • Dropbox, added by @bdr99
    Store your Home Assistant backups straight to your Dropbox account. Setup runs through the Home Assistant Cloud Account Linking service, so you do not need a Home Assistant Cloud subscription or your own application credentials to get started. Once connected, Dropbox shows up as a backup location alongside the rest.

  • Edifier Infrared, added by @abmantis
    Control your Edifier speaker with any infrared transmitter you already have set up in Home Assistant. Built on the Infrared entity platform, so you can pair it with an ESPHome device with an IR LED, or any other supported IR emitter. Communication is one-way, so the integration uses assumed states.

  • energieleser, added by @AjinkyaGokhale
    Bring real-time energy readings into Home Assistant from energieleser devices, such as stromleser, gasleser, wasserleser, and wΓ€rmeleser. The integration reads consumption data over a local HTTP API, so all communication stays on your network.

  • Envertech EVT800, added by @daniel-bergmann-00
    Monitor your Envertech EVT800 solar microinverter in Home Assistant. The integration receives data locally over your network, exposing energy and power readings you can track on dashboards and use in automations.

  • Greencell, added by @BrzezowskiGC
    Connect your Greencell EV charging devices to Home Assistant over MQTT. It monitors charger status and electrical measurements like voltage, current, and power, and exposes real-time telemetry and charging-session data for dashboards and automations.

  • Helty Flow, added by @ebaschiera
    Control your Helty Flow decentralized heat-recovery ventilation units with the smart Wi-Fi interface. The integration talks to each unit directly on your local network, so it keeps working without an internet connection.

  • KlikAanKlikUit, added by @Phunkafizer
    Control self-learning KlikAanKlikUit 433.92 MHz RF devices from Home Assistant. Because the integration sends commands over RF without a feedback channel, it uses assumed states.

  • MELCloud Home, added by @erwindouna
    Bring your Mitsubishi Electric air conditioning and heat pump products into Home Assistant through MELCloud Home, Mitsubishi Electric’s cloud service. Monitor and control your devices alongside the rest of your home automations.

This release also has new virtual integrations. Virtual integrations are stubs that are handled by other (existing) integrations to help with findability. These ones are new:

Noteworthy improvements to existing integrations

It is not just new integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more] that have been added; existing ones keep getting better too. Here are some of the noteworthy improvements this release:

Integration quality scale achievements

One thing we are incredibly proud of in Home Assistant is our integration quality scale. This scale helps us and our contributors to ensure integrations are of high quality, maintainable, and provide the best possible user experience.

This release, we celebrate several integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more] that have improved their quality scale:

This is a huge achievement for these integrations and their maintainers. The effort and dedication required to reach these quality levels is significant, as it involves extensive testing, documentation, error handling, and often complete rewrites of parts of the integration.

A big thank you to all the contributors involved! πŸ‘

Now available to set up from the UI

While most integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more] can be set up directly from the Home Assistant user interface, some were only available using YAML configuration. We keep moving more integrations to the UI, making them more accessible for everyone to set up and use.

The following integrations are now available via the Home Assistant UI:

Farewell to the following

Time for a little cleaning, and no, we did not wait for spring. The following integrationsIntegrations connect and integrate Home Assistant with your devices, services, and more. [Learn more] are no longer available as of this release. Most had been broken for a while, leaning on libraries or services that went unmaintained or offline years ago:

  • Acer projector has been removed. It had been broken since 2019.
  • Ampio Smog has been removed. The air quality service it polled is offline and its library has been unmaintained since 2019, so it no longer works.
  • ATEN Rack PDU has been removed. It had been broken since 2024 over a dependency conflict, and its maintainer stepped down with no one to take over.
  • Avi-on has been removed. It depended on the bluepy library, which Home Assistant dropped back in 2022.7, and which has been unmaintained since 2018.
  • BeeWi SmartClim has been removed for the same reason: it relied on the long-unmaintained bluepy library that Home Assistant dropped in 2022.7.
  • BlinkStick has been removed. It was disabled in 2024 because it relied on a non-open-source library that has been unmaintained since 2020.
  • Clementine has been removed. It had been broken since 2023, and its library has been unmaintained since 2018.
  • Dovado has been removed. It was disabled in 2024.7 because it relied on a non-open-source library that has been unmaintained since 2017.
  • ELIQ Online has been removed. Its API endpoint no longer exists, and the underlying library has been unmaintained for years.
  • Gitter has been removed. Gitter migrated to Matrix back in 2023 and its old API no longer works, so it is now a virtual integration handled by the Matrix integration, which you can use to connect instead.
  • Greenwave Reality has been removed. It had been broken since around 2022, because the devices use an outdated encryption key that modern systems reject, and its library has been unmaintained since 2018.
  • Logentries has been removed. The service was rebranded to InsightOps years ago and is no longer offered, and its API endpoint no longer responds.
  • Microsoft Face has been removed, together with the Microsoft Face Detect and Microsoft Face Identify integrations that built on it. They had been broken since 2022 after a change to Microsoft’s Azure face API.
  • MS Teams has been removed. The integration relied on Office 365 Connectors, which Microsoft discontinued on May 22, 2026, so it no longer works.
  • Mycroft has been removed. It was disabled in 2023.6 over an unresolvable dependency conflict, and its library has not been updated since.
  • SCSGate has been removed. It required obscure DIY hardware that is no longer available, its library has been unmaintained for a decade, and it had effectively no users left.
  • ThermoWorks Smoke has been removed. It was disabled in 2024.10 over a dependency conflict, and its library has been unmaintained since 2019.
  • Tikteck has been removed.
  • UniFi LED has been removed. The hardware is discontinued and the integration had no remaining users.
  • Watson TTS has been removed. It was disabled in 2023 over a dependency conflict, and no one stepped up to update it since.

Other noteworthy changes

There are many more improvements in this release; here are some of the other noteworthy changes:

  • Edit a running timer’s duration. Change a timer’s duration straight from its dialog, no need to cancel and start over. Thanks, @chli1!
  • A faster frontend. A big batch of performance work landed this release, most noticeably across the energy, history, and statistics graphs, so they draw quicker and feel snappier. Thanks, @MindFreeze!
  • Device and area pages adapt to your screen. They now use a responsive column layout, and the device page lists its main entities first, so the important controls sit right at the top.
  • More context in the scene editor. Entity rows now show their type and the integration they belong to, making large scenes easier to read. Thanks, @pszypowicz!
  • Tags in the Apps store. The Apps store now shows tags and marks which apps you already have installed. Thanks, @bramkragten!
  • A sub-editor for the statistics graph card. Tune each entity right from the card’s visual editor. Thanks, @ildar170975!
  • Live condition testing keeps improving. Conditions now show clearer status icons (addressing the red and green only accessibility concern from last release), the indicator works on mobile in the visibility editor, and live testing now covers conditions inside actions too. Thanks, @silamon and @marcinbauer-ohf!
  • Hide columns in Developer tools. The States tab can now hide the Device and Area columns. Thanks, @vingerha!
  • Matter soil moisture sensors. Matter-certified soil moisture sensors now show up in Home Assistant. Thanks, @lboue!
  • A projector device class for media players. Projectors are now a proper media player device class, surfaced through Google Assistant, HomeKit, and SmartThings too. Thanks, @jtjart!
  • Template lights gain xy color. Build template lights with full xy color support. Thanks, @Petro31!
  • Clean a specific room from Google Assistant. Ask Google to send your robot vacuum to a particular room. Thanks, @joostlek!
  • Snappier templates. Under the hood, a template engine optimization makes templates render up to 40% faster. Thanks, @frenck!
  • Clearer automation traces. When you debug an automation or script, its trace now always includes template errors, making it easier to spot what went wrong. Thanks, @emontnemery!

Time format selection

Some entitiesAn entity represents a sensor, actor, or function in Home Assistant. Entities are used to monitor physical properties or to control other entities. An entity is usually part of a device or a service. [Learn more] tell time. A sensor with the next sunrise, the timestamp of your last backup, a countdown to the next calendar event. How that moment should be shown is a matter of taste: sometimes you want the exact date and time, and sometimes a friendly β€œin 3 hours” or β€œ2 days ago” is far more useful at a glance.

Until now, picking how a timestamp was displayed meant editing YAML. This release brings that choice into the UI. When you add a timestamp entity to a tile card, the entities card, or as an entity badge, a Time format option shows up in the editor, so you can choose how the time is presented, including a new short or long style for the relative format.

Screenshot of the tile card editor showing the new Time format option for a timestamp entity.

Thanks, @karwosts!

Dedicated panels for infrared and radio frequency

Earlier this year, Home Assistant gained dedicated entity platforms for infrared and radio frequency devices, the building blocks behind integrations that reach your gear through an IR blaster or a 433 MHz transmitter. This release gives them a proper home.

Two new panels show up in the Settings menu, one for infrared and one for radio frequency. Each lists the proxies and transmitters you’ve set up, so you can see your IR blasters and RF bridges at a glance and jump straight to the one you’re looking for, instead of hunting for them among everything else. The panels only appear when you actually have such devices, so they stay out of the way if you don’t.

Screenshot of the new infrared and radio frequency panels in the Settings menu, each listing the configured proxies.

Thanks, @balloob!

The ZHA Zigbee device management got an overhaul

Managing a Zigbee device through ZHA used to mean squinting at a cramped dialog. The clusters, bindings, signature, and neighbors tools were all there, but crammed into a small popup that left little room to breathe.

This release moves all of that onto a dedicated, full-page device view. The same tools are now laid out across tabbed navigation, with a device summary card up top, and the loading, empty, and error states have been cleaned up throughout. It’s the same powerful Zigbee management, just far easier to work with.

Screenshot of the revamped ZHA device management page, with a device summary card and tabbed navigation for clusters, bindings, signature, and neighbors.

Thanks, @jpbede!

Keeping your Raspberry Pi firmware up to date

Running Home Assistant Operating System on a Raspberry Pi? You are in good company: per our public, opt-in analytics, the Raspberry Pi platform currently powers about a third of all installations. As of this release, there is an β€œupdate entity”An update entity is an entity that indicates if an update is available for a device or service. [Learn more] for the Pi’s bootloader firmware, also often referred to as the EEPROM update. You can keep it current right from Settings > Updates, the same place you handle every other update.

This is more than a nice-to-have. Especially on the Raspberry Pi 5 and Compute Module 5, the firmware contains bug fixes, compatibility improvements for NVMe drives, thermal improvements, and much more. Until now, updating that firmware was cumbersome: you had to flash another SD card with a special image, or connect a keyboard and a display and run the rpi-eeprom-update command by hand. Now it takes a single step.

Screenshot of the Raspberry Pi firmware update entity on the Settings, Updates page.

A few things to keep in mind:

  • This needs Home Assistant Operating System 18 or newer, which provides the support the update entity builds on. On older versions, the entity simply isn’t there.
  • On a Raspberry Pi 4, the firmware can only be updated when the board boots from an SD card. If your Pi 4 boots from USB storage, the update isn’t available. This is a limitation of the update system, and one more reason we recommend using USB only as a data disk while keeping an SD card as the main boot device.
  • Not every board can update its firmware this way. Besides a Raspberry Pi 4 booting from USB storage, the Home Assistant Yellow with a Compute Module 4 isn’t supported either. Where an update can’t be applied, the entity doesn’t appear at all, so you don’t see an update that wouldn’t work.
  • After the update is applied, Home Assistant prompts you to reboot to complete it.

Thanks, @sairon!

Need help? Join the community

Home Assistant has a great community of users who are all more than willing to help each other out. So, join us!

Our very active Discord chat server is an excellent place to be, and don’t forget to join our amazing forums.

Found a bug or issue? Please report it in our issue tracker to get it fixed! Or check our help page for guidance on more places you can go.

Are you more into email? Sign up for the Open Home Foundation Newsletter to get the latest news about features, things happening in our community, and other projects that support the Open Home straight into your inbox.

Backward-incompatible changes

We do our best to avoid making changes to existing functionality that might unexpectedly impact your Home Assistant installation. Unfortunately, sometimes it is inevitable.

We always make sure to document these changes to make the transition as easy as possible for you. This release has the following backward-incompatible changes:

Purpose-specific triggers and conditions

Several entity triggers and conditions, part of the new purpose-specific triggers and conditions, have been renamed so their keys are consistent across all domains. The old keys no longer work.

The following triggers changed:

  • battery.low is now battery.became_low
  • battery.not_low is now battery.no_longer_low
  • lawn_mower.docked is now lawn_mower.returned_to_dock
  • schedule.turned_off is now schedule.block_ended
  • schedule.turned_on is now schedule.block_started
  • timer.time_remaining is now timer.remaining_time_reached
  • update.update_became_available is now update.became_available
  • vacuum.docked is now vacuum.returned_to_dock

The following conditions changed:

  • climate.target_humidity is now climate.is_target_humidity
  • climate.target_temperature is now climate.is_target_temperature

If an automation or script uses one of these, it will stop working until updated. To fix it, open the affected automation or script, re-select the trigger or condition (it now appears under its new name), and save. If you edit in YAML, replace the old key with the new one from the list above.

(@frenck - #174463)

BSB-LAN

The BSB-LAN integration has reduced its support for the older version 1 JSON API. If your BSB-LAN device runs very old firmware that only speaks the version 1 API, update it to firmware that supports the version 2 API to keep everything working.

A repair notification will let you know if your device is affected.

(@liudger - #172843) (BSB-LAN documentation)

iCloud

The battery_level attribute has been removed from iCloud device tracker entities. Use the dedicated battery sensor in your automations and scripts instead.

(@some-random-climber - #174117) (iCloud documentation)

Person

Person entities no longer report the latitude and longitude of the home zone when their location comes from a presence scanner associated with the home zone.

If you have automations or scripts that check the coordinates of a person, adjust them. To check whether a person is in a specific zone, use the new in_zones state attribute instead.

(@emontnemery - #173042) (Person documentation)

Rabbit Air

The Rabbit Air fan preset mode values changed from title case to lowercase to match Home Assistant’s state convention: Auto is now auto, Manual is now manual, and Pollen is now pollen. The user-facing labels stay the same through translations.

Update any automations, scripts, templates, or action calls that reference the old title-case preset values.

(@MagikalUnicorn - #172931) (Rabbit Air documentation)

Reolink

Reolink Duo PoE and Duo WiFi dual-lens cameras now expose a sub-device per lens. The camera and motion/AI sensor entities that previously had a β€œlens 0” or β€œlens 1” suffix in their name are moved to the new lens sub-devices and lose that suffix. Entity IDs and custom names stay the same, so most automations keep working.

If you target these entities through the camera device, update them to use the new lens sub-devices.

(@Markus98 - #173037) (Reolink documentation)

StarLine

The battery_level attribute has been removed from StarLine device tracker entities. Use the dedicated battery sensor in your automations and scripts instead.

(@some-random-climber - #174118) (StarLine documentation)

Tesla Fleet

The route device tracker (device_tracker.<vehicle>_route) no longer reports the active route’s destination name as its state. Its state is now derived from your zones like a normal device tracker (home, not_home, or a zone name), based on the route’s coordinates.

The destination name is still available through the new destination sensor (sensor.<vehicle>_destination), which is disabled by default. Enable it from the entity settings if you have automations that relied on the destination name, and update any automations that matched the old route tracker state.

(@Bre77 - #172513) (Tesla Fleet documentation)

Teslemetry

The route device tracker no longer reports the active route’s destination as its state or through a location_name attribute. Its state is now derived purely from the route’s coordinates (zone-aware, like home or not_home).

If you relied on the destination name, enable the new Destination sensor (sensor.*_destination), which is disabled by default and reports the destination name as Tesla provides it.

(@Bre77 - #172514) (Teslemetry documentation)

Tractive

The battery_level attribute has been removed from Tractive device tracker entities. Use the dedicated battery sensor in your automations and scripts instead.

(@bieniu - #172756) (Tractive documentation)

Zeroconf

The legacy requires_api_password field has been removed from the Home Assistant zeroconf/mDNS discovery announcement (_home-assistant._tcp). It had been hardcoded to true since the http.api_password authentication mechanism was removed in Home Assistant 2024.7, so it no longer carried any meaning. The official companion apps already ignore it.

Third-party discovery clients that still read this field need to tolerate its absence.

(@agners - #173090) (Zeroconf documentation) (API documentation)

Zone

The state (person count) and persons attribute of zone entities are now calculated from the in_zones attribute of person entities. As a result, a person can now be counted in more than one zone at the same time. For example, a person who is home with in_zones: ["home", "near_home"] now counts toward both zone.home and zone.near_home, where previously they only counted toward zone.home.

In addition, the state of position-aware device trackers is now the smallest zone the device is in, instead of the zone whose center it is closest to.

Automations, scripts, or templates that depend on zone person counts or on device tracker zone states may need to be adjusted.

(@emontnemery - #172942, #173106) (Zone documentation)

Z-Wave JS

This release requires an updated Z-Wave JS server. You need zwave-js-server 3.9.0 or newer (schema 49):

  • If you use the Z-Wave JS app, update it to at least version 1.4.0.
  • If you use the Z-Wave JS UI Docker container, update it to at least version 11.19.1.
  • If you run your own zwave-js-server, update it to at least version 3.9.0.

(@AlCalzone - #173309) (Z-Wave JS documentation)

If you are a custom integration developer and want to learn about changes and new features available for your integration: Be sure to follow our developer blog. The following changes are the most notable for this release:

All changes

Of course, there is a lot more in this release. You can find a list of all changes made here: Full changelog for Home Assistant Core 2026.7.

  •  

v2.5.4

1 Juli 2026 om 17:45

New

  • Node.js 24 LTS Support
  • MariaDB 12.3 Support
  • Ubuntu 26.04 Support

Bug Fixes

  • #758 site:delete does not remove user crontab in /var/spool/cron/crontabs/
  • #761 SitePhpSettingsType.php throws 500 error while managing PHP sites β€” TypeError: Unsupported operand types (string + int)
  • #771 Font files missing correct mime type header in NGINX

  •  

British Columbia: Cities

Door: David
1 Juli 2026 om 17:00

British Columbia is home to some of Canada's most breathtaking landscapes, vibrant communities, and industries that keep the province moving. Today, we're excited to take you on a tour of several cities and towns featured in our upcoming British Columbia DLC for American Truck Simulator.

Grand Forks

Located in the beautiful Boundary Country region, Grand Forks sits at the meeting point of the Kettle and Granby Rivers. Surrounded by rolling hills, farmland, and forests, this welcoming community serves as an important agricultural and transportation center in southern British Columbia.

As you drive through town, you'll discover a charming downtown area alongside local industries that help support the region's economy. Truckers can find work connected to a local sawmill and building material factory, while those exploring the city may spot the historic gallery located near the heart of town. Whether you're delivering cargo or passing through on a longer journey, Grand Forks offers a relaxing stop with plenty of scenic views along the way.

Creston

Nestled within a fertile valley near the United States border, Creston is well known throughout British Columbia for its rich agricultural heritage. Surrounded by mountains and open farmland, this picturesque community offers drivers some truly memorable views.

Our team has recreated key landmarks and the area's distinct atmosphere, allowing players to experience the charm of this valley town firsthand. As you make your way through Creston, keep an eye out for recognizable sights, including the local theater, library, visitor center, and Presbyterian church. Truckers can also find a variety of cargo opportunities connected to the region's agricultural economy, with deliveries to and from farms, a winery, and a beverage factory making Creston an important destination for those traveling through southeastern British Columbia.

Sparwood

At the foot of the Canadian Rockies lies Sparwood, a town deeply connected to British Columbia's mining industry. Surrounded by rugged mountain landscapes, Sparwood is perhaps best known for its rich coal mining heritage and impressive industrial operations.

Drivers passing through will encounter dramatic scenery, steep mountain grades, and large-scale industry centered around the local coal mine. Keep an eye out for some of Sparwood's recognizable landmarks, including the visitor center, library, and the famous World's Largest Tandem Axle Truck displayed proudly near the highway. It's a sight that's hard to miss and has been carefully recreated by our map team.

Invermere

Situated along the shores of Lake Windermere, Invermere offers a refreshing change of pace amid the towering peaks of the Columbia Valley. Popular with both locals and visitors, this mountain town combines beautiful scenery with a welcoming small-town atmosphere.

As you travel through the area, you'll encounter stunning views of nearby lakes, forests, and mountain ranges. While tourism plays a significant role in the region, truckers will also find important connections to local businesses that help keep the valley supplied year-round. Drivers familiar with the area may even recognize the iconic Steak & Schnitzel Haus, faithfully recreated as part of the town's streetscape.

Golden

Nestled between several major mountain ranges, Golden serves as an important gateway to British Columbia's interior. Its strategic location has made it a key transportation hub for decades, connecting communities through some of Canada's most spectacular landscapes.

Players can look forward to navigating winding mountain highways, crossing impressive bridges, and experiencing the unique geography that surrounds the town. Golden's position along major transportation corridors ensures that there will be no shortage of deliveries moving through this busy mountain community, including work connected to the local railyard. Be sure to also look out for the town's visitor center as you pass through.

Princeton

Located where several highways converge, Princeton has long served as an important stop for travelers and truckers crossing southern British Columbia. Rich in history and surrounded by forests, rivers, and rolling hills, the town retains much of its classic frontier character.

As you pass through Princeton, you'll discover a blend of historic charm and modern industry. Local businesses and resource-based industries provide valuable job opportunities, including deliveries connected to a sawmill and nearby copper mining operations. Be sure to take in the surrounding scenery as you continue your travels through the region.

Campbell River

Situated on the eastern coast of Vancouver Island, Campbell River is known as one of British Columbia's premier coastal communities. Surrounded by forests and the waters of the Discovery Passage, it plays a vital role in the province's forestry, fishing, and transportation industries.

Truckers arriving in Campbell River will experience a unique coastal atmosphere unlike anywhere else in the DLC. From bustling industrial areas to scenic waterfront views, the city offers a memorable destination for those making deliveries across Vancouver Island. Drivers can also service the local marina, an important part of Campbell River's connection to the surrounding waterways. The surrounding landscapes and industries provide plenty of reasons to return time and time again.

These are just a few of the many cities and communities you'll be able to discover throughout British Columbia. Our teams are working hard to capture the unique character, industries, and landscapes that make this province such an exciting destination for truckers.

Stay tuned for more previews as we continue to reveal what’s in store for this DLC. In the meantime, don’t forget to add British Columbia to your Steam Wishlist and follow us on X/Twitter, Instagram, Facebook, Bluesky, and TikTok, or subscribe to our newsletter for more behind-the-scenes content, teasers, and announcements.Β Until next time, keep on truckin' and happy haulin'!

  •  

Counter-Strike 2 Update

1 Juli 2026 om 04:57
[p]\[ COLOGNE 2026 MAJOR ][/p]
  • [p]Champions Autograph Stickers are now available for purchase in the Major Shop, congratulations to the Falcons![/p][/*]
  • [p]Highlight Souvenir Charms are now available for purchase in the Major Shop, featuring 10 highlights for each of the six stages of the Cologne 2026 Major, and the Falcons' trophy-lifting moment.[/p][/*]
  •  

Drie oorlogsboeken of een bonnetjesprinter | POM S11E40

De laatste voor de zomer, en Ernst-Jan is nog nat van de penalty's: tijdens de uitschakeling van Oranje maakte hij om zes uur 's ochtends de broodtrommels klaar, een verrassend doeltreffend copingsmechanisme. Alexander komt zonder schaamte uit de kast als airco-bezitter die wél koelt en níet de hele nacht staat te blèren. Daarna trekt Ernst-Jan een lade vol zomerboeken open die toevallig allemaal over oorlog en ondergang gaan, van Dispatches over Vietnam tot There Is No Antimemetics Division over anti-memes die hun eigen sporen wissen. Alexander biedt tegengif: een Chinese e-reader van zeventig euro die achterop je telefoon klikt, en een kassabonnetjesprinter die hem elke ochtend een papieren krantje voorschotelt, gehackte breaking news uit de schoolapp incluis.

Of je nu drie loodzware boeken leest of je eigen bonnensysteem soldeert, dit is de zomeraflevering waarin Ernst-Jan je laat voelen wat pijn is en Alexander je eraan herinnert dat knutselen ook bestaat.

Verder lezen over Carbon Equity? Kijk dan op carbonequity.com

Schrijf je via denkproducties.nl/pom in voor het Amsterdam Business Forum en krijg als POM-luisteraar automatisch toegang tot een exclusieve sessie met Seth Godin.

Abonneer je op de nieuwsbrief via pom.show, kom naar POM Live; haal hier je kaartje, en tot slot; interesse in een partnerschap met POM? Ga dan naar pom.partners voor meer informatie.



This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit www.pom.show

πŸ’Ύ

  •  

Stable Channel Update for Desktop

1 Juli 2026 om 12:38

The Chrome team is delighted to announce the promotion of Chrome 150 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 150.0.7871.46 (Linux)Β 150.0.7871.46/.47Β Windows/Mac contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 150.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 382 security fixes. Please see the Chrome Security Page for more information.
[N/A][506558270] Critical CVE-2026-13774: Use after free in Extensions. Reported by Google on 2026-04-26
[N/A][511766407] Critical CVE-2026-13775: Use after free in GPU. Reported by Google on 2026-05-10
[N/A][513012139] Critical CVE-2026-13776: Type Confusion in Dawn. Reported by Google on 2026-05-14
[N/A][513128566] Critical CVE-2026-13777: Insufficient validation of untrusted input in iOSWeb. Reported by Google on 2026-05-14
[N/A][513167952] Critical CVE-2026-13778: Use after free in WebUSB. Reported by Google on 2026-05-14
[N/A][513222854] Critical CVE-2026-13779: Use after free in Chromoting. Reported by Google on 2026-05-14
[N/A][514769383] Critical CVE-2026-13780: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-05-19
[N/A][516457532] Critical CVE-2026-13781: Insufficient validation of untrusted input in Skia. Reported by Google on 2026-05-25
[N/A][516683433] Critical CVE-2026-13782: Use after free in Browser. Reported by Google on 2026-05-26
[N/A][516962178] Critical CVE-2026-13783: Use after free in Views. Reported by Google on 2026-05-27
[N/A][516962715] Critical CVE-2026-13784: Use after free in Views. Reported by Google on 2026-05-27
[N/A][517021684] Critical CVE-2026-13785: Use after free in Bluetooth. Reported by Google on 2026-05-27
[N/A][518007821] Critical CVE-2026-13786: Use after free in Ozone. Reported by Google on 2026-05-29
[N/A][522919313] Critical CVE-2026-13787: Use after free in Chromoting. Reported by Google on 2026-06-11
[N/A][523119897] Critical CVE-2026-13788: Use after free in Fullscreen. Reported by Google on 2026-06-12
[$36000][493847920] High CVE-2026-13789: Use after free in GPU. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-18
[$10000][457771782] High CVE-2026-13790: Side-channel information leakage in Scroll. Reported by Vsevolod Kokorin (Slonser) of Solidlab and Jorian Woltjer on 2025-11-04
[$10000][503850012] High CVE-2026-13791: Insufficient validation of untrusted input in Downloads. Reported by Ron Masas (Imperva) on 2026-04-17
[$4000][496012368] High CVE-2026-13792: Use after free in Touchbar. Reported by Weipeng Jiang (@Krace) of VRI on 2026-03-25
[$3000][510829679] High CVE-2026-13793: Insufficient policy enforcement in SVG. Reported by pakhunov.anton.n@gmail.com on 2026-05-07
[$2500][513893425] High CVE-2026-13794: Insufficient validation of untrusted input in WebAppInstalls. Reported by Daniel RodrΓ­guez on 2026-05-16
[$2000][476591032] High CVE-2026-13795: Insufficient policy enforcement in Chrome for iOS. Reported by maitai on 2026-01-17
[N/A][491894115] High CVE-2026-13796: Integer overflow in Chromecast. Reported by Google on 2026-03-11
[N/A][499025645] High CVE-2026-13797: Insufficient validation of untrusted input in Chromecast. Reported by Google on 2026-04-02
[N/A][499048914] High CVE-2026-13798: Heap buffer overflow in Chromecast. Reported by Google on 2026-04-02
[N/A][499252371] High CVE-2026-13799: Use after free in QUIC. Reported by Google on 2026-04-03
[N/A][500108770] High CVE-2026-13800: Inappropriate implementation in Updater. Reported by Google on 2026-04-06
[N/A][500587568] High CVE-2026-13801: Integer overflow in Chromecast. Reported by Google on 2026-04-08
[N/A][501623322] High CVE-2026-13802: Use after free in Views. Reported by Google on 2026-04-11
[N/A][501669642] High CVE-2026-13803: Type Confusion in Chrome Tabs. Reported by Google on 2026-04-11
[N/A][501873032] High CVE-2026-13804: Use after free in Chromecast. Reported by Google on 2026-04-12
[N/A][502282040] High CVE-2026-13805: Use after free in GFX. Reported by Google on 2026-04-13
[N/A][503333798] High CVE-2026-13806: Insufficient validation of untrusted input in Accessibility. Reported by Google on 2026-04-16
[N/A][504194494] High CVE-2026-13807: Use after free in Import. Reported by Google on 2026-04-19
[N/A][504221510] High CVE-2026-13808: Insufficient data validation in Chrome for iOS. Reported by Google on 2026-04-19
[N/A][504222227] High CVE-2026-13809: Side-channel information leakage in Safe Browsing. eported by Google on 2026-04-19
[TBD][504600482] High CVE-2026-13810: Inappropriate implementation in Input. Reported by dilipsc03@gmail.com on 2026-04-20
[N/A][506149253] High CVE-2026-13811: Use after free in IME. Reported by Google on 2026-04-24
[N/A][508293203] High CVE-2026-13812: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][508462149] High CVE-2026-13813: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-01
[N/A][511712766] High CVE-2026-13814: Use after free in Views. Reported by Google on 2026-05-10
[N/A][511722207] High CVE-2026-13815: Use after free in Blink. Reported by Google on 2026-05-10
[N/A][511735715] High CVE-2026-13816: Insufficient validation of untrusted input in File Input. Reported by Google on 2026-05-10
[N/A][511739631] High CVE-2026-13817: Insufficient validation of untrusted input in Glic. Reported by Google on 2026-05-10
[N/A][511823182] High CVE-2026-13818: Inappropriate implementation in Passwords. Reported by Google on 2026-05-10
[N/A][512962749] High CVE-2026-13819: Out of bounds read in ANGLE. Reported by Google on 2026-05-13
[N/A][512986879] High CVE-2026-13820: Out of bounds read in Skia. Reported by Google on 2026-05-13
[N/A][513142445] High CVE-2026-13821: Use after free in Canvas. Reported by Google on 2026-05-14
[N/A][513148038] High CVE-2026-13822: Inappropriate implementation in Extensions. Reported by Google on 2026-05-14
[N/A][513163011] High CVE-2026-13823: Use after free in Glic. Reported by Google on 2026-05-14
[N/A][513177497] High CVE-2026-13824: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-05-14
[N/A][513209610] High CVE-2026-13825: Uninitialized Use in Dawn. Reported by Google on 2026-05-14
[N/A][513237800] High CVE-2026-13826: Inappropriate implementation in Autofill. Reported by Google on 2026-05-14
[N/A][513371963] High CVE-2026-13827: Use after free in Updater. Reported by Google on 2026-05-15
[N/A][513399832] High CVE-2026-13828: Inappropriate implementation in Enterprise. Reported by Google on 2026-05-15
[N/A][513490996] High CVE-2026-13829: Insufficient validation of untrusted input in Settings. Reported by Google on 2026-05-15
[N/A][513727494] High CVE-2026-13830: Use after free in Chromoting. Reported by Google on 2026-05-16
[N/A][513781328] High CVE-2026-13831: Use after free in GPU. Reported by Google on 2026-05-16
[N/A][513822378] High CVE-2026-13832: Use after free in Headless. Reported by Google on 2026-05-16
[N/A][513920082] High CVE-2026-13833: Uninitialized Use in ANGLE. Reported by Google on 2026-05-17
[N/A][513925114] High CVE-2026-13834: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-05-17
[N/A][514338102] High CVE-2026-13835: Inappropriate implementation in XML. Reported by Google on 2026-05-18
[N/A][514420555] High CVE-2026-13836: Inappropriate implementation in CSS. Reported by Google on 2026-05-18
[N/A][514429130] High CVE-2026-13837: Inappropriate implementation in CSS. Reported by Google on 2026-05-18
[N/A][514445398] High CVE-2026-13838: Inappropriate implementation in CSS. Reported by Google on 2026-05-18
[N/A][514449396] High CVE-2026-13839: Inappropriate implementation in CSS. Reported by Google on 2026-05-18
[TBD][514609778] High CVE-2026-13840: Insufficient policy enforcement in Canvas. Reported by Binglin Song on 2026-05-19
[N/A][515467789] High CVE-2026-13841: Integer overflow in Skia. Reported by Google on 2026-05-21
[TBD][516836297] High CVE-2026-13842: Incorrect security UI in Chrome for iOS. Reported by Azza Tegar Naufal Ataullah on 2026-05-26
[N/A][516869032] High CVE-2026-13843: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-26
[N/A][516926115] High CVE-2026-13844: Use after free in Updater. Reported by Google on 2026-05-27
[N/A][516936863] High CVE-2026-13845: Use after free in DOM. Reported by Google on 2026-05-27
[N/A][516999424] High CVE-2026-13846: Use after free in USB. Reported by Google on 2026-05-27
[N/A][517073397] High CVE-2026-13847: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-27
[N/A][517345069] High CVE-2026-13848: Use after free in Forms. Reported by Google on 2026-05-28
[N/A][517351411] High CVE-2026-13849: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-05-28
[N/A][517610676] High CVE-2026-13850: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-28
[N/A][519692255] High CVE-2026-13851: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-06-03
[N/A][522560124] High CVE-2026-13852: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-06-11
[N/A][523224019] High CVE-2026-13853: Use after free in Journeys. Reported by Google on 2026-06-12
[N/A][523690961] High CVE-2026-13854: Use after free in Ozone. Reported by Google on 2026-06-13
[N/A][524395469] High CVE-2026-13855: Use after free in Ozone. Reported by Google on 2026-06-16
[$8000][508092634] Medium CVE-2026-13856: Insufficient validation of untrusted input in Speech. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-30
[$5000][479203484] Medium CVE-2026-13857: Inappropriate implementation in Geometry. Reported by Luan Herrera (@lbherrera_) on 2026-01-27
[$3000][507090179] Medium CVE-2026-13858: Out of bounds read in FFmpeg. Reported by Wongi Lee (@_qwerty_po) of Theori with Xint Code, Jungwoo Lee (@physicube) on 2026-04-27
[$2000][484756087] Medium CVE-2026-13859: Inappropriate implementation in ANGLE. Reported by Jason Villaluna on 2026-02-15
[$1000][417052041] Medium CVE-2026-13860: Incorrect security UI in Autofill. Reported by Khalil Zhani on 2025-05-12
[N/A][495456765] Medium CVE-2026-13861: Use after free in Core. Reported by Google on 2026-03-23
[N/A][495897416] Medium CVE-2026-13862: Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys). Reported by Google on 2026-03-24
[N/A][496012495] Medium CVE-2026-13863: Insufficient validation of untrusted input in CustomTabs. Reported by Google on 2026-03-25
[N/A][496399913] Medium CVE-2026-13864: Insufficient policy enforcement in WebHID. Reported by Google on 2026-03-26
[N/A][497090912] Medium CVE-2026-13865: Insufficient validation of untrusted input in Enterprise. Reported by Google on 2026-03-28
[N/A][497207698] Medium CVE-2026-13866: Insufficient validation of untrusted input in Input. Reported by Google on 2026-03-28
[N/A][497345177] Medium CVE-2026-13867: Inappropriate implementation in Geolocation. Reported by Google on 2026-03-29
[N/A][497453475] Medium CVE-2026-13868: Inappropriate implementation in Network. Reported by Google on 2026-03-29
[N/A][497610642] Medium CVE-2026-13869: Use after free in Device. Reported by Google on 2026-03-30
[N/A][497634837] Medium CVE-2026-13870: Use after free in WebView. Reported by Google on 2026-03-30
[N/A][497961376] Medium CVE-2026-13871: Insufficient data validation in GuestView. Reported by Google on 2026-03-30
[N/A][497977983] Medium CVE-2026-13872: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-03-31
[N/A][498085466] Medium CVE-2026-13873: Out of bounds memory access in Layout. Reported by Google on 2026-03-31
[N/A][498411773] Medium CVE-2026-13874: Inappropriate implementation in DataTransfer. Reported by Google on 2026-04-01
[N/A][498721671] Medium CVE-2026-13875: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-04-01
[N/A][498722200] Medium CVE-2026-13876: Inappropriate implementation in Network. Reported by Google on 2026-04-01
[N/A][498820206] Medium CVE-2026-13877: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-04-02
[N/A][499007266] Medium CVE-2026-13878: Use after free in Bluetooth. Reported by Google on 2026-04-02
[N/A][499022239] Medium CVE-2026-13879: Use after free in Bluetooth. Reported by Google on 2026-04-02
[N/A][499025880] Medium CVE-2026-13880: Use after free in USB. Reported by Google on 2026-04-02
[N/A][499100491] Medium CVE-2026-13881: Insufficient data validation in WebAppInstalls. Reported by Google on 2026-04-03
[N/A][499162550] Medium CVE-2026-13882: Inappropriate implementation in USB. Reported by Google on 2026-04-03
[N/A][500030250] Medium CVE-2026-13883: Type Confusion in ANGLE. Reported by Google on 2026-04-06
[N/A][500077014] Medium CVE-2026-13884: Heap buffer overflow in Chromecast. Reported by Google on 2026-04-06
[N/A][500474409] Medium CVE-2026-13885: Use after free in Skia. Reported by Google on 2026-04-07
[N/A][500475136] Medium CVE-2026-13886: Policy bypass in Isolated Web Apps. Reported by Google on 2026-04-07
[N/A][500508524] Medium CVE-2026-13887: Insufficient policy enforcement in NFC. Reported by Google on 2026-04-08
[N/A][500566906] Medium CVE-2026-13888: Use after free in Extensions. Reported by Google on 2026-04-08
[N/A][500588580] Medium CVE-2026-13889: Insufficient validation of untrusted input in WebAuthentication. Reported by Google on 2026-04-08
[N/A][500601345] Medium CVE-2026-13890: Out of bounds read in Chromecast. Reported by Google on 2026-04-08
[N/A][501631475] Medium CVE-2026-13891: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-04-11
[N/A][501674841] Medium CVE-2026-13892: Inappropriate implementation in Chrome for iOS. Reported by Google on 2026-04-11
[N/A][501729582] Medium CVE-2026-13893: Insufficient validation of untrusted input in WebUI. Reported by Google on 2026-04-11
[N/A][501741117] Medium CVE-2026-13894: Insufficient policy enforcement in Network. Reported by Google on 2026-04-11
[N/A][501770542] Medium CVE-2026-13895: Inappropriate implementation in Autofill. Reported by Google on 2026-04-12
[N/A][501820076] Medium CVE-2026-13896: Insufficient policy enforcement in Glic. Reported by Google on 2026-04-12
[N/A][501877896] Medium CVE-2026-13897: Insufficient policy enforcement in Chromecast. Reported by Google on 2026-04-12
[N/A][501925480] Medium CVE-2026-13898: Use after free in Cast Receiver. Reported by Google on 2026-04-12
[N/A][502109002] Medium CVE-2026-13899: Use after free in HTML. Reported by Google on 2026-04-13
[N/A][502374993] Medium CVE-2026-13900: Insufficient validation of untrusted input in Chromecast. Reported by Google on 2026-04-14
[N/A][503585173] Medium CVE-2026-13901: Insufficient validation of untrusted input in Serial. Reported by Google on 2026-04-17
[N/A][503725717] Medium CVE-2026-13902: Inappropriate implementation in Chrome for iOS. Reported by Google on 2026-04-17
[N/A][503912196] Medium CVE-2026-13903: Insufficient policy enforcement in Bluetooth. Reported by Google on 2026-04-18
[N/A][504185807] Medium CVE-2026-13904: Incorrect security UI in Safe Browsing. Reported by Google on 2026-04-19
[N/A][504192688] Medium CVE-2026-13905: Incorrect security UI in Chrome for iOS. Reported by Google on 2026-04-19
[N/A][504613867] Medium CVE-2026-13906: Out of bounds read in Codecs. Reported by Google on 2026-04-20
[N/A][505156685] Medium CVE-2026-13907: Inappropriate implementation in iOSWeb. Reported by Google on 2026-04-22
[N/A][505242189] Medium CVE-2026-13908: Insufficient validation of untrusted input in Omnibox. Reported by Google on 2026-04-22
[N/A][505933538] Medium CVE-2026-13909: Insufficient policy enforcement in DevTools. Reported by Google on 2026-04-24
[N/A][507231605] Medium CVE-2026-13910: Insufficient policy enforcement in WebXR. Reported by Google on 2026-04-28
[N/A][507239830] Medium CVE-2026-13911: Insufficient data validation in Spellcheck. Reported by Google on 2026-04-28
[N/A][508259433] Medium CVE-2026-13912: Incorrect security UI in Safe Browsing. Reported by Google on 2026-04-30
[N/A][508260619] Medium CVE-2026-13913: Insufficient policy enforcement in Autofill. Reported by Google on 2026-04-30
[N/A][508273690] Medium CVE-2026-13914: Inappropriate implementation in Passwords. Reported by Google on 2026-04-30
[N/A][508275293] Medium CVE-2026-13915: Use after free in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][508283108] Medium CVE-2026-13916: Inappropriate implementation in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][508286935] Medium CVE-2026-13917: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][509712284] Medium CVE-2026-13918: Use after free in Chrome for iOS. Reported by Google on 2026-05-05
[N/A][511249430] Medium CVE-2026-13919: Insufficient data validation in Extensions. Reported by Google on 2026-05-08
[N/A][511722559] Medium CVE-2026-13920: Insufficient validation of untrusted input in Media. Reported by Google on 2026-05-10
[N/A][511738175] Medium CVE-2026-13921: Insufficient validation of untrusted input in DeviceBoundSessionCredentials. Reported by Google on 2026-05-10
[N/A][511748106] Medium CVE-2026-13922: Side-channel information leakage in Paint. Reported by Google on 2026-05-10
[N/A][511772034] Medium CVE-2026-13923: Uninitialized Use in GPU. Reported by Google on 2026-05-10
[N/A][511784747] Medium CVE-2026-13924: Insufficient validation of untrusted input in WebView. Reported by Google on 2026-05-10
[N/A][511802911] Medium CVE-2026-13925: Inappropriate implementation in Downloads. Reported by Google on 2026-05-10
[N/A][511814550] Medium CVE-2026-13926: Insufficient validation of untrusted input in Network. Reported by Google on 2026-05-10
[N/A][511826446] Medium CVE-2026-13927: Insufficient validation of untrusted input in UI. Reported by Google on 2026-05-10
[N/A][512162479] Medium CVE-2026-13928: Insufficient validation of untrusted input in Enterprise. Reported by Google on 2026-05-11
[TBD][512249559] Medium CVE-2026-13929: Insufficient validation of untrusted input in DevTools. Reported by LegioSec on 2026-05-12
[N/A][512937764] Medium CVE-2026-13930: Insufficient policy enforcement in Actor. Reported by Google on 2026-05-13
[N/A][512997441] Medium CVE-2026-13931: Inappropriate implementation in Media. Reported by Google on 2026-05-13
[N/A][513001690] Medium CVE-2026-13932: Inappropriate implementation in Sharing. Reported by Google on 2026-05-14
[N/A][513002625] Medium CVE-2026-13933: Insufficient policy enforcement in Passwords. Reported by Google on 2026-05-14
[N/A][513006636] Medium CVE-2026-13934: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-05-14
[N/A][513009005] Medium CVE-2026-13935: Side-channel information leakage in ComputePressure. Reported by Google on 2026-05-14
[N/A][513044658] Medium CVE-2026-13936: Inappropriate implementation in Passwords. Reported by Google on 2026-05-14
[N/A][513046494] Medium CVE-2026-13937: Insufficient policy enforcement in Passwords. Reported by Google on 2026-05-14
[N/A][513143921] Medium CVE-2026-13938: Integer overflow in Fonts. Reported by Google on 2026-05-14
[N/A][513149760] Medium CVE-2026-13939: Insufficient validation of untrusted input in WebShare. Reported by Google on 2026-05-14
[N/A][513158425] Medium CVE-2026-13940: Uninitialized Use in Cast. Reported by Google on 2026-05-14
[N/A][513183855] Medium CVE-2026-13941: Inappropriate implementation in SiteSettings. Reported by Google on 2026-05-14
[N/A][513186670] Medium CVE-2026-13942: Insufficient validation of untrusted input in Video Capture. Reported by Google on 2026-05-14
[N/A][513204116] Medium CVE-2026-13943: Uninitialized Use in CSS. Reported by Google on 2026-05-14
[N/A][513224212] Medium CVE-2026-13944: Inappropriate implementation in DataTransfer. Reported by Google on 2026-05-14
[N/A][513226551] Medium CVE-2026-13945: Insufficient policy enforcement in Extensions. Reported by Google on 2026-05-14
[N/A][513274039] Medium CVE-2026-13946: Inappropriate implementation in ScriptInjections. Reported by Google on 2026-05-14
[N/A][513280648] Medium CVE-2026-13947: Uninitialized Use in XR. Reported by Google on 2026-05-14
[N/A][513286820] Medium CVE-2026-13948: Insufficient policy enforcement in Extensions. Reported by Google on 2026-05-14
[N/A][513311569] Medium CVE-2026-13949: Insufficient policy enforcement in Payments. Reported by Google on 2026-05-14
[N/A][513360781] Medium CVE-2026-13950: Uninitialized Use in GPU. Reported by Google on 2026-05-15
[N/A][513394321] Medium CVE-2026-13951: Policy bypass in USB. Reported by Google on 2026-05-15
[N/A][513401808] Medium CVE-2026-13952: Inappropriate implementation in PerformanceAPIs. Reported by Google on 2026-05-15
[N/A][513459192] Medium CVE-2026-13953: Inappropriate implementation in SplitView. Reported by Google on 2026-05-15
[N/A][513504934] Medium CVE-2026-13954: Insufficient policy enforcement in XML. Reported by Google on 2026-05-15
[N/A][513508305] Medium CVE-2026-13955: Insufficient validation of untrusted input in CustomTabs. Reported by Google on 2026-05-15
[N/A][513515168] Medium CVE-2026-13956: Incorrect security UI in PageInfo. Reported by Google on 2026-05-15
[N/A][513553557] Medium CVE-2026-13957: Incorrect security UI in Extensions. Reported by Google on 2026-05-15
[N/A][513567306] Medium CVE-2026-13958: Uninitialized Use in Codecs. Reported by Google on 2026-05-15
[N/A][513609249] Medium CVE-2026-13959: Insufficient validation of untrusted input in Blink. Reported by Google on 2026-05-15
[N/A][513714023] Medium CVE-2026-13960: Inappropriate implementation in Passwords. Reported by Google on 2026-05-16
[N/A][513719481] Medium CVE-2026-13961: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-16
[N/A][513721370] Medium CVE-2026-13962: Insufficient data validation in PDF. Reported by Google on 2026-05-16
[N/A][513727626] Medium CVE-2026-13963: Inappropriate implementation in DevTools. Reported by Google on 2026-05-16
[N/A][513735096] Medium CVE-2026-13964: Insufficient policy enforcement in WebView. Reported by Google on 2026-05-16
[N/A][513737952] Medium CVE-2026-13965: Use after free in Oilpan. Reported by Google on 2026-05-16
[N/A][513741393] Medium CVE-2026-13966: Inappropriate implementation in History. Reported by Google on 2026-05-16
[N/A][513751951] Medium CVE-2026-13967: Type Confusion in V8. Reported by Google on 2026-05-16
[N/A][513762145] Medium CVE-2026-13968: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-16
[N/A][513762962] Medium CVE-2026-13969: Uninitialized Use in UI. Reported by Google on 2026-05-16
[N/A][513779283] Medium CVE-2026-13970: Uninitialized Use in Media. Reported by Google on 2026-05-16
[N/A][513780208] Medium CVE-2026-13971: Uninitialized Use in Skia. Reported by Google on 2026-05-16
[N/A][513792140] Medium CVE-2026-13972: Inappropriate implementation in Paint. Reported by Google on 2026-05-16
[N/A][513832989] Medium CVE-2026-13973: Inappropriate implementation in UI. Reported by Google on 2026-05-16
[N/A][513850475] Medium CVE-2026-13974: Integer overflow in Safe Browsing. Reported by Google on 2026-05-16
[N/A][513857658] Medium CVE-2026-13975: Out of bounds read in ANGLE. Reported by Google on 2026-05-16
[N/A][513858286] Medium CVE-2026-13976: Heap buffer overflow in Storage. Reported by Google on 2026-05-16
[N/A][513859894] Medium CVE-2026-13977: Inappropriate implementation in HTMLParser. Reported by Google on 2026-05-16
[N/A][513866949] Medium CVE-2026-13978: Insufficient policy enforcement in PageInfo. Reported by Google on 2026-05-16
[N/A][513988889] Medium CVE-2026-13979: Inappropriate implementation in Paint. Reported by Google on 2026-05-17
[N/A][513989973] Medium CVE-2026-13980: Incorrect security UI in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][513990408] Medium CVE-2026-13981: Inappropriate implementation in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514006829] Medium CVE-2026-13982: Incorrect security UI in Passwords. Reported by Google on 2026-05-17
[N/A][514009910] Medium CVE-2026-13983: Incorrect security UI in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514010404] Medium CVE-2026-13984: Incorrect security UI in TabStrip. Reported by Google on 2026-05-17
[N/A][514013849] Medium CVE-2026-13985: Inappropriate implementation in MediaCapture. Reported by Google on 2026-05-17
[N/A][514020959] Medium CVE-2026-13986: Inappropriate implementation in Media UI. Reported by Google on 2026-05-17
[N/A][514039122] Medium CVE-2026-13987: Incorrect security UI in Mobile. Reported by Google on 2026-05-17
[N/A][514040614] Medium CVE-2026-13988: Inappropriate implementation in Paint. Reported by Google on 2026-05-17
[N/A][514056221] Medium CVE-2026-13989: Insufficient policy enforcement in PageInfo. Reported by Google on 2026-05-17
[N/A][514058439] Medium CVE-2026-13990: Insufficient validation of untrusted input in DataTransfer. Reported by Google on 2026-05-17
[N/A][514061117] Medium CVE-2026-13991: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514063409] Medium CVE-2026-13992: Inappropriate implementation in UI. Reported by Google on 2026-05-17
[N/A][514064139] Medium CVE-2026-13993: Incorrect security UI in WebAppInstalls. Reported by Google on 2026-05-17
[N/A][514067416] Medium CVE-2026-13994: Inappropriate implementation in Credential Management. Reported by Google on 2026-05-17
[N/A][514067524] Medium CVE-2026-13995: Insufficient validation of untrusted input in Autofill. Reported by Google on 2026-05-17
[N/A][514068972] Medium CVE-2026-13996: Incorrect security UI in Permissions. Reported by Google on 2026-05-17
[N/A][514069689] Medium CVE-2026-13997: Incorrect security UI in Extensions. Reported by Google on 2026-05-17
[N/A][514070501] Medium CVE-2026-13998: Incorrect security UI in File Input. Reported by Google on 2026-05-17
[N/A][514071697] Medium CVE-2026-13999: Inappropriate implementation in Extensions. Reported by Google on 2026-05-17
[N/A][514461552] Medium CVE-2026-14000: Inappropriate implementation in XML. Reported by Google on 2026-05-19
[N/A][514481943] Medium CVE-2026-14001: Inappropriate implementation in Network. Reported by Google on 2026-05-19
[N/A][514489361] Medium CVE-2026-14002: Inappropriate implementation in Geolocation. Reported by Google on 2026-05-19
[N/A][514503077] Medium CVE-2026-14003: Insufficient policy enforcement in Extensions. Reported by Google on 2026-05-19
[N/A][514538751] Medium CVE-2026-14004: Inappropriate implementation in CSS. Reported by Google on 2026-05-19
[N/A][514740273] Medium CVE-2026-14005: Use after free in Omnibox. Reported by Google on 2026-05-19
[N/A][515423596] Medium CVE-2026-14006: Use after free in Navigation. Reported by Google on 2026-05-21
[N/A][516425999] Medium CVE-2026-14007: Insufficient policy enforcement in PermissionsPolicy. Reported by Google on 2026-05-25
[N/A][516781007] Medium CVE-2026-14008: Uninitialized Use in WebXR. Reported by Google on 2026-05-26
[N/A][516819850] Medium CVE-2026-14009: Insufficient data validation in Passwords. Reported by Google on 2026-05-26
[N/A][516924151] Medium CVE-2026-14010: Uninitialized Use in Codecs. Reported by Google on 2026-05-27
[N/A][516944556] Medium CVE-2026-14011: Out of bounds read in SurfaceCapture. Reported by Google on 2026-05-27
[N/A][517110749] Medium CVE-2026-14012: Side-channel information leakage in CSS. Reported by Google on 2026-05-27
[N/A][517114175] Medium CVE-2026-14013: Inappropriate implementation in SVG. Reported by Google on 2026-05-27
[N/A][517155893] Medium CVE-2026-14014: Inappropriate implementation in Paint. Reported by Google on 2026-05-27
[N/A][517207235] Medium CVE-2026-14015: Inappropriate implementation in WebRTC. Reported by Google on 2026-05-27
[N/A][517234388] Medium CVE-2026-14016: Insufficient policy enforcement in SVG. Reported by Google on 2026-05-27
[N/A][517241992] Medium CVE-2026-14017: Inappropriate implementation in Navigation. Reported by Google on 2026-05-27
[N/A][517350251] Medium CVE-2026-14018: Use after free in Updater. Reported by Google on 2026-05-28
[N/A][517455455] Medium CVE-2026-14019: Inappropriate implementation in Passwords. Reported by Google on 2026-05-28
[N/A][517598518] Medium CVE-2026-14020: Insufficient validation of untrusted input in WebXR. Reported by Google on 2026-05-28
[N/A][517731924] Medium CVE-2026-14021: Insufficient validation of untrusted input in StorageAccessAPI. Reported by Google on 2026-05-29
[N/A][517791835] Medium CVE-2026-14022: Insufficient validation of untrusted input in Network. Reported by Google on 2026-05-29
[N/A][518063436] Medium CVE-2026-14023: Insufficient validation of untrusted input in SanitizerAPI. Reported by Google on 2026-05-30
[N/A][518245882] Medium CVE-2026-14024: Use after free in Ozone. Reported by Google on 2026-05-30
[$2000][506482786] Low CVE-2026-14025: Use after free in Views. Reported by asjidkalam on 2026-04-26
[$1000][507263861] Low CVE-2026-14026: Incorrect security UI in SplitView. Reported by adisahilna35@gmail.com on 2026-04-28
[TBD][361375787] Low CVE-2026-14027: Use after free in SignIn. Reported by Sven Dysthe (@svn-dys) on 2024-08-21
[TBD][401816601] Low CVE-2026-14028: Incorrect security UI in Chrome for iOS. Reported by Ameen Basha M K on 2025-03-09
[TBD][488762971] Low CVE-2026-14030: Incorrect security UI in SplitView. Reported by Khalil Zhani on 2026-03-01
[N/A][495459838] Low CVE-2026-14031: Incorrect security UI in File Input. Reported by Google on 2026-03-23
[N/A][495783474] Low CVE-2026-14032: Use after free in Bluetooth. Reported by Google on 2026-03-24
[N/A][495848160] Low CVE-2026-14033: Insufficient policy enforcement in Media. Reported by Google on 2026-03-24
[N/A][496368832] Low CVE-2026-14034: Inappropriate implementation in WebXR. Reported by Google on 2026-03-26
[N/A][496371586] Low CVE-2026-14035: Insufficient policy enforcement in Bluetooth. Reported by Google on 2026-03-26
[N/A][496411061] Low CVE-2026-14036: Insufficient policy enforcement in Bluetooth. Reported by Google on 2026-03-26
[N/A][496522611] Low CVE-2026-14037: Insufficient policy enforcement in GPU. Reported by Google on 2026-03-26
[N/A][497241148] Low CVE-2026-14038: Insufficient validation of untrusted input in New Tab Page. Reported by Google on 2026-03-28
[N/A][497358012] Low CVE-2026-14039: Insufficient policy enforcement in GetUserMedia. Reported by Google on 2026-03-29
[N/A][497488593] Low CVE-2026-14040: Use after free in BrowserTag. Reported by Google on 2026-03-29
[N/A][497544822] Low CVE-2026-14041: Insufficient policy enforcement in Serial. Reported by Google on 2026-03-29
[N/A][497558336] Low CVE-2026-14042: Inappropriate implementation in Isolated Web Apps. Reported by Google on 2026-03-29
[N/A][497632232] Low CVE-2026-14043: Use after free in GetUserMedia. Reported by Google on 2026-03-30
[N/A][497670996] Low CVE-2026-14044: Use after free in ANGLE. Reported by Google on 2026-03-30
[N/A][497723649] Low CVE-2026-14045: Insufficient validation of untrusted input in Network. Reported by Google on 2026-03-30
[N/A][497959724] Low CVE-2026-14046: Inappropriate implementation in CustomTabs. Reported by Google on 2026-03-30
[N/A][498864176] Low CVE-2026-14047: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-02
[N/A][499189601] Low CVE-2026-14048: Use after free in Chromecast. Reported by Google on 2026-04-03
[N/A][501659888] Low CVE-2026-14049: Inappropriate implementation in GPU. Reported by Google on 2026-04-11
[N/A][501708647] Low CVE-2026-14050: Insufficient policy enforcement in Passwords. Reported by Google on 2026-04-11
[N/A][501747804] Low CVE-2026-14051: Uninitialized Use in GamepadAPI. Reported by Google on 2026-04-11
[N/A][501810874] Low CVE-2026-14052: Insufficient policy enforcement in FileSystem. Reported by Google on 2026-04-12
[N/A][501836539] Low CVE-2026-14053: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-12
[N/A][501851312] Low CVE-2026-14054: Insufficient policy enforcement in Network. Reported by Google on 2026-04-12
[N/A][501857663] Low CVE-2026-14055: Insufficient validation of untrusted input in Device Trust. Reported by Google on 2026-04-12
[N/A][501888426] Low CVE-2026-14056: Insufficient validation of untrusted input in Media. Reported by Google on 2026-04-12
[N/A][502212647] Low CVE-2026-14057: Insufficient policy enforcement in FedCM. Reported by Google on 2026-04-13
[N/A][502354038] Low CVE-2026-14058: Policy bypass in Parser. Reported by Google on 2026-04-14
[N/A][502363986] Low CVE-2026-14059: Insufficient policy enforcement in Related-Website-Sets. Reported by Google on 2026-04-14
[N/A][502372527] Low CVE-2026-14060: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-04-14
[N/A][502434484] Low CVE-2026-14061: Inappropriate implementation in Dawn. Reported by Google on 2026-04-14
[N/A][502448128] Low CVE-2026-14062: Inappropriate implementation in Views. Reported by Google on 2026-04-14
[N/A][502473563] Low CVE-2026-14063: Out of bounds memory access in Chromecast. Reported by Google on 2026-04-14
[N/A][502714977] Low CVE-2026-14064: Use after free in PageInfo. Reported by Google on 2026-04-15
[N/A][503617508] Low CVE-2026-14065: Insufficient validation of untrusted input in PageInfo. Reported by Google on 2026-04-17
[N/A][503779807] Low CVE-2026-14066: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-04-17
[N/A][504069465] Low CVE-2026-14067: Use after free in Chrome for iOS. Reported by Google on 2026-04-18
[N/A][504210171] Low CVE-2026-14068: Inappropriate implementation in Omnibox. Reported by Google on 2026-04-19
[N/A][505136542] Low CVE-2026-14069: Integer overflow in WebNN. Reported by Google on 2026-04-21
[N/A][505137978] Low CVE-2026-14070: Uninitialized Use in WebNN. Reported by Google on 2026-04-21
[N/A][506143724] Low CVE-2026-14071: Side-channel information leakage in WebAudio. Reported by Google on 2026-04-24
[N/A][507099867] Low CVE-2026-14072: Incorrect security UI in SplitView. Reported by FARISSAL B on 2026-04-28
[N/A][507237563] Low CVE-2026-14073: Insufficient policy enforcement in WebXR. Reported by Google on 2026-04-28
[N/A][511743480] Low CVE-2026-14074: Side-channel information leakage in WebAuthentication. Reported by Google on 2026-05-10
[N/A][511808800] Low CVE-2026-14075: Policy bypass in Chrome for iOS. Reported by Google on 2026-05-10
[N/A][511815165] Low CVE-2026-14076: Policy bypass in Network. Reported by Google on 2026-05-10
[TBD][511869411] Low CVE-2026-14077: Incorrect security UI in Select. Reported by pwn.ai on 2026-05-11
[N/A][512953564] Low CVE-2026-14078: Policy bypass in WebRTC. Reported by Google on 2026-05-13
[N/A][512971938] Low CVE-2026-14079: Policy bypass in Network. Reported by Google on 2026-05-13
[N/A][512997517] Low CVE-2026-14080: Insufficient validation of untrusted input in TabSwitcher. Reported by Google on 2026-05-13
[N/A][513030698] Low CVE-2026-14081: Insufficient policy enforcement in DevTools. Reported by Google on 2026-05-14
[N/A][513049578] Low CVE-2026-14082: Race in Storage. Reported by Google on 2026-05-14
[N/A][513128322] Low CVE-2026-14083: Insufficient validation of untrusted input in HTML. Reported by Google on 2026-05-14
[N/A][513138148] Low CVE-2026-14084: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-05-14
[N/A][513155863] Low CVE-2026-14085: Side-channel information leakage in CSS. Reported by Google on 2026-05-14
[N/A][513169718] Low CVE-2026-14086: Insufficient policy enforcement in HID. Reported by Google on 2026-05-14
[N/A][513177237] Low CVE-2026-14087: Insufficient validation of untrusted input in WebNN. Reported by Google on 2026-05-14
[N/A][513178869] Low CVE-2026-14088: Uninitialized Use in Canvas. Reported by Google on 2026-05-14
[N/A][513188254] Low CVE-2026-14089: Insufficient validation of untrusted input in PopupBlocker. Reported by Google on 2026-05-14
[N/A][513194241] Low CVE-2026-14090: Out of bounds read in CameraCapture. Reported by Google on 2026-05-14
[N/A][513208773] Low CVE-2026-14091: Use after free in DevTools. Reported by Google on 2026-05-14
[N/A][513212892] Low CVE-2026-14092: Insufficient policy enforcement in Privacy. Reported by Google on 2026-05-14
[N/A][513240099] Low CVE-2026-14093: Use after free in Cast. Reported by Google on 2026-05-14
[N/A][513264273] Low CVE-2026-14094: Use after free in Installer. Reported by Google on 2026-05-14
[N/A][513271007] Low CVE-2026-14095: Insufficient validation of untrusted input in Browser. Reported by Google on 2026-05-14
[N/A][513310821] Low CVE-2026-14096: Object lifecycle issue in Input. Reported by Google on 2026-05-14
[N/A][513333529] Low CVE-2026-14097: Inappropriate implementation in WebAppInstalls. Reported by Google on 2026-05-14
[N/A][513375767] Low CVE-2026-14098: Inappropriate implementation in CSS. Reported by Google on 2026-05-15
[N/A][513382161] Low CVE-2026-14099: Use after free in Chrome for iOS. Reported by Google on 2026-05-15
[N/A][513383891] Low CVE-2026-14100: Insufficient data validation in NetworkCache. Reported by Google on 2026-05-15
[N/A][513454805] Low CVE-2026-14101: Insufficient policy enforcement in Sandbox. Reported by Google on 2026-05-15
[N/A][513455047] Low CVE-2026-14102: Use after free in Passwords. Reported by Google on 2026-05-15
[N/A][513465245] Low CVE-2026-14103: Use after free in SSL. Reported by Google on 2026-05-15
[N/A][513484193] Low CVE-2026-14104: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-05-15
[N/A][513528117] Low CVE-2026-14105: Insufficient policy enforcement in Speech. Reported by Google on 2026-05-15
[N/A][513532778] Low CVE-2026-14106: Insufficient validation of untrusted input in Text. Reported by Google on 2026-05-15
[N/A][513544566] Low CVE-2026-14107: Use after free in Scheduling. Reported by Google on 2026-05-15
[N/A][513689974] Low CVE-2026-14108: Use after free in PDFium. Reported by Google on 2026-05-15
[N/A][513694957] Low CVE-2026-14109: Insufficient policy enforcement in Mojo. Reported by Google on 2026-05-16
[N/A][513698452] Low CVE-2026-14110: Inappropriate implementation in DarkMode. Reported by Google on 2026-05-16
[N/A][513710926] Low CVE-2026-14111: Use after free in WebProtect. Reported by Google on 2026-05-16
[N/A][513713946] Low CVE-2026-14112: Inappropriate implementation in Enterprise. Reported by Google on 2026-05-16
[N/A][513737335] Low CVE-2026-14113: Use after free in Updater. Reported by Google on 2026-05-16
[N/A][513743129] Low CVE-2026-14114: Inappropriate implementation in WebAppInstalls. Reported by Google on 2026-05-16
[N/A][513745699] Low CVE-2026-14115: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-05-16
[N/A][513747800] Low CVE-2026-14116: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-16
[N/A][513751020] Low CVE-2026-14117: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-16
[N/A][513772764] Low CVE-2026-14118: Insufficient data validation in DevTools. Reported by Google on 2026-05-16
[N/A][513775483] Low CVE-2026-14119: Type Confusion in Bluetooth. Reported by Google on 2026-05-16
[N/A][513777411] Low CVE-2026-14120: Inappropriate implementation in DevTools. Reported by Google on 2026-05-16
[N/A][513789382] Low CVE-2026-14121: Use after free in Chromoting. Reported by Google on 2026-05-16
[N/A][513824891] Low CVE-2026-14122: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-05-16
[N/A][513856644] Low CVE-2026-14123: Incorrect security UI in Chrome for iOS. Reported by Google on 2026-05-16
[N/A][513867710] Low CVE-2026-14124: Inappropriate implementation in CredentialProvider. Reported by Google on 2026-05-16
[N/A][513918431] Low CVE-2026-14125: Uninitialized Use in ANGLE. Reported by Google on 2026-05-17
[N/A][513992796] Low CVE-2026-14126: Incorrect security UI in UI. Reported by Google on 2026-05-17
[N/A][514009654] Low CVE-2026-14127: Inappropriate implementation in Printing. Reported by Google on 2026-05-17
[N/A][514015836] Low CVE-2026-14128: Insufficient data validation in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514018024] Low CVE-2026-14129: Incorrect security UI in PreviewTab. Reported by Google on 2026-05-17
[N/A][514019522] Low CVE-2026-14130: Incorrect security UI in Omnibox. Reported by Google on 2026-05-17
[N/A][514020982] Low CVE-2026-14131: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-05-17
[N/A][514039492] Low CVE-2026-14132: Inappropriate implementation in WebXR. Reported by Google on 2026-05-17
[N/A][514039947] Low CVE-2026-14133: Race in History Embeddings. Reported by Google on 2026-05-17
[N/A][514055973] Low CVE-2026-14134: Inappropriate implementation in Autofill. Reported by Google on 2026-05-17
[N/A][514058566] Low CVE-2026-14135: Insufficient validation of untrusted input in Network. Reported by Google on 2026-05-17
[N/A][514068611] Low CVE-2026-14136: Incorrect security UI in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514070067] Low CVE-2026-14137: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-05-17
[N/A][514071775] Low CVE-2026-14138: Inappropriate implementation in WebAppInstalls. Reported by Google on 2026-05-17
[N/A][514072495] Low CVE-2026-14139: Inappropriate implementation in TabStrip. Reported by Google on 2026-05-17
[N/A][514072607] Low CVE-2026-14140: Insufficient validation of untrusted input in Input. Reported by Google on 2026-05-17
[N/A][514072867] Low CVE-2026-14141: Incorrect security UI in Document Picture-in-Picture. Reported by Google on 2026-05-17
[N/A][514073460] Low CVE-2026-14142: Inappropriate implementation in Extensions. Reported by Google on 2026-05-17
[N/A][514075028] Low CVE-2026-14143: Incorrect security UI in Passwords. Reported by Google on 2026-05-17
[N/A][514079793] Low CVE-2026-14144: Incorrect security UI in Views. Reported by Google on 2026-05-17
[N/A][514485825] Low CVE-2026-14145: Inappropriate implementation in CSS. Reported by Google on 2026-05-19
[N/A][514550047] Low CVE-2026-14146: Inappropriate implementation in CSS. Reported by Google on 2026-05-19
[N/A][514632767] Low CVE-2026-14147: Inappropriate implementation in CSS. Reported by Google on 2026-05-19
[N/A][515426873] Low CVE-2026-14148: Type Confusion in CSS. Reported by Google on 2026-05-21
[N/A][515427046] Low CVE-2026-14149: Use after free in Audio. Reported by Google on 2026-05-21
[N/A][517376041] Low CVE-2026-14150: Insufficient validation of untrusted input in Speech. Reported by Google on 2026-05-28
[N/A][517381770] Low CVE-2026-14151: Inappropriate implementation in AI. Reported by Google on 2026-05-28
[N/A][517534944] Low CVE-2026-14152: Out of bounds write in ANGLE. Reported by Google on 2026-05-28
[N/A][517684077] Low CVE-2026-14153: Inappropriate implementation in Glic. Reported by Google on 2026-05-29
[N/A][517741170] Low CVE-2026-14154: Inappropriate implementation in DevTools. Reported by Google on 2026-05-29
[N/A][518246925] Low CVE-2026-14155: Insufficient policy enforcement in StorageAccessAPI. Reported by Google on 2026-05-30
[N/A][518247789] Low CVE-2026-14156: Policy bypass in StorageAccessAPI. Reported by Google on 2026-05-30

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.


Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.


Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Daniel Yip

Google Chrome

  •  

Euro Truck Simulator 2: Holland Style Tuning Pack DLC Release

Door: Petr
30 Juni 2026 om 19:10

We are excited to reveal the Holland Style Tuning Pack DLC for Euro Truck Simulator 2, which is now released and available for you to get on Steam! This DLC contains dozens of accessories and paint jobs for a wide range of trucks and is the largest tuning pack we have developed for our games so far. Let's see what's in store!

Holland Style is one of the most distinctive and popular trends in European truck customization.Β In the 1970s, Dutch truckers began to adopt the idea of taking pride in their own trucks.Β Holland Style is characterized above all by perfectly coordinated colours, with a minimum of chrome, and an emphasis on symmetry, clean lines, and attention to detail.


The Holland Style Tuning Pack features a wide range of accessories for both the interior and exterior of your truck, along with an extensive selection of stylish paint jobs. This popular tuning style has been one of the most requested additions from our community, and many of the included items were inspired directly by their ideas.

"It all started some time ago when I was thinking about creating my own paint job DLC. Since we were working on the Benelux Rework at that time, which included the Netherlands, I wanted to create something to celebrate the occasion. I would like to thank all my colleagues for their tremendous cooperation and for putting so much passion into this project," says our 2D Graphic Designer for vehicles, Matej, who initiated the creation of this tuning pack.

With this DLC, you'll be able to customize your truck with a vast range of light boxes (for high-roof sleeper cabs), horns, mudflaps, auxiliary lights, Danish lights, and the famous double burners, as well as pennants, toys & decorations, steering wheels, and light boxes for the interior, allowing you to create a truly personalized cabin and make it feel like home.

While many of these accessories were designed by our team, we're especially proud to have collaborated with several well-known manufacturers to bring licensed products into the game. These include double burners, horns, auxiliary lights, and Danish plush pillows from Omnius; long mudflaps, pennants, and air fresheners from Go-In-Style; as well as interior light boxes, long mudflaps, and pennants from TruckJunkie.

You will also be able to select from 23 different paint jobs, each of which has 3 RGB presets that the player can choose from and customize the colours! The pack includes one paint job shared across all supported trucks, as well as two unique paint jobs for each of the truck groups listed below, with each pair tailored specifically to the respective truck models and differing between groups:

  • Volvo FH Series 6, Volvo FH Series 5, and Volvo FH Series 4
  • Volvo FH Series 3
  • Scania R and S
  • Scania R 2009 and Streamline
  • Iveco S-Way
  • DAF NGD and XD
  • DAF XF 105 and DAF XF Euro 6
  • MAN TG3 TGX
  • MAN TGX Euro 6
  • Renault T
  • Mercedes-Benz New Actros

The tuning accessories for both the exterior and interior are available for all trucks in ETS2, where compatibility allows. The only exception is light boxes, which are limited to the trucks listed above. We also plan to update this DLC in the future for upcoming trucks.

While this tuning pack is going to make your truck beautiful on its own, we recommend combining it with other DLC for a top look, such as the HS-Shoch Tuning Pack, Michelin Fan Pack, XF Tuning Pack, Mighty Griffin Tuning Pack, FH Tuning Pack, Renault Trucks T Tuning Pack, orΒ Actros Tuning Pack. All of these are fully compatible with this DLC, allowing you to create truly stunning combinations!

So if you'd like to start trucking in true Holland style, make sure to get this DLC on Steam now!

Remember to also give our X/Twitter, Instagram, Facebook, Bluesky, TikTok, and YouTube a follow, as you'll receive updates about our games straight to your feed. Or subscribe to our newsletter to stay informed. Until next time, safe travels!

  •  

Minecraft 26.3-snapshot-2 (snapshot) Released

30 Juni 2026 om 14:45
26.3 Snapshot 2 (known as 26.3-snapshot-2 in the launcher) is the second snapshot for Java Edition 26.3, released on June 30, 2026, which adds a new rendering option for improved transparency. Full changelog: https://minecraft.wiki/Java_Edition_26.3-snapshot-2
  •  

v25.12.5

1 Juli 2026 om 02:10

Hi,

The OpenWrt community is proud to announce the fifth service release of the OpenWrt 25.12 stable series.

Download firmware images using the OpenWrt Firmware Selector:

Download firmware images directly from our download servers:

Main changes between OpenWrt 25.12.4 and OpenWrt 25.12.5

Only the main changes are listed below. See the full changelog for details.

Security fixes

This release fixes several remotely triggerable vulnerabilities in core network services that are enabled by default. Updating is strongly recommended.

  • odhcpd (DHCPv6/DHCPv4/RA server, enabled by default): multiple vulnerabilities reachable by a network-adjacent attacker were fixed by updating odhcpd:
    • CVE-2026-53921 (Critical): stack buffer overflow in the DHCPv6 IA reply serialization, triggerable with crafted DHCPv6 REQUEST packets. GHSA-7fwx-hhrg-3496
    • CVE-2026-53918 (High): use-after-free in the DHCPv6 IA handler. GHSA-44ff-jcwh-wgc2
    • CVE-2026-53920 (High): stack memory disclosure via a truncated DHCPv6 IA_NA/IA_PD option. GHSA-p769-5v73-pc4f
    • CVE-2026-53922 (Moderate): pre-auth denial of service via a size_t underflow in DHCPv6 IA handling. GHSA-7hcw-g2jh-pqv5
    • CVE-2026-55606 (Moderate): stack buffer overread caused by a DUID length endianness mismatch. GHSA-x8x4-7gvf-gp45
    • No CVE assigned (Moderate, CVSS 5.4): the NDP relay accepted IPv6 Neighbor Solicitations with a hop limit other than 255 (RFC 4861 violation), letting an off-link attacker spoof NS packets through the relay (neighbor-cache poisoning, traffic redirection or DoS). Only relevant when the NDP relay is enabled. https://github.com/openwrt/odhcpd/security/advisories/GHSA-qvg7-9jf5-wgjc
  • odhcpd / LuCI stored XSS (Critical): an unauthenticated DHCPv6 client could inject lease-file lines through a crafted FQDN hostname, resulting in stored cross-site scripting on the LuCI DHCPv6 leases status page. Fixed by escaping client hostnames in the lease state file. GHSA-hhmc-92hw-535f
  • uhttpd (web server): three HTTP request smuggling issues on keep-alive connections were fixed:
  • cgi-io: ACL bypass / arbitrary file read (Moderate): a path-traversal flaw in the cgi-download handler let an authenticated user with wildcard read permission read any root-readable file (e.g. /etc/shadow). GHSA-jw5r-xhf5-2xcq
  • LuCI (web interface): a set of issues in LuCI core modules and applications were fixed. Most let a logged-in user with limited (delegated) permissions escalate to root command execution; a few are stored XSS issues reachable by clients on the network. The privilege-escalation issues only apply if the affected app is installed and the account/ACL in question exists:
    • luci-app-tailscale-community (Critical, CVSS 9.9): command injection allowing delegated users to run commands as root via tailscale.do_login. GHSA-xwc5-mx58-rh35
    • luci-app-advanced-reboot (High): CVE-2026-55897 β€” a read ACL exposes /bin/sh via file.exec, allowing delegated users to run commands as root. GHSA-vj96-f37g-37f6
    • luci-app-adblock-fast (High): CVE-2026-55159 β€” delegated users can reach root command execution via newline-separated cron entries. GHSA-ggpf-xrph-wg5v
    • luci-app-samba4 (High): a read ACL allows authenticated root command execution via the smbd file.exec permission. GHSA-vx64-mmp7-h36c
    • luci-app-travelmate (High): a delegated UCI write can execute the travelmate auto-login command as root. GHSA-p35r-3323-6g7g
    • luci-app-upnp (High): stored XSS β€” an unauthenticated LAN client can inject JavaScript via a UPnP port-mapping description. GHSA-8v49-6387-7f89
    • luci-mod-network / luci-mod-status (High): stored XSS via a DHCPv6 lease hostname (FQDN) shown in the status tables. GHSA-686p-p8p9-x6fh
    • luci-app-banip (High): a crafted LuCI login username can inject an arbitrary IP into banIP's log parser, causing the wrong address to be blocked. GHSA-r6hx-4f83-vp8m
  • ead (Emergency Access Daemon): CVE-2026-55490 (Moderate): an integer underflow in handle_send_a() allowed a pre-auth denial of service. GHSA-9558-77jp-g3fw
  • Linux kernel: update to 6.12.94, pulling in the upstream 6.12.88 through 6.12.94 stable releases, which fix multiple security vulnerabilities, such as CVE-2026-43500.
  • OpenSSL: update to 3.5.7, fixing multiple security vulnerabilities (CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447).
  • musl libc: backport upstream fixes for CVE-2026-6042 and CVE-2026-40200.
  • dropbear (SSH): backport security fixes from upstream 2026.90 and 2026.91, including CVE-2019-6111 (a malicious server could trick the scp client into overwriting arbitrary local files) and CVE-2026-35385.

Beyond the issues listed above, this release fixes a number of further security problems for which no CVE number or dedicated advisory was assigned. We strongly recommend upgrading to the latest OpenWrt release and installing all available package updates.

Device support

New devices supported in 25.12.5:

  • ipq40xx: Linksys MR9000
  • mediatek (filogic): GL.iNET GL-MT3600BE
  • mediatek (filogic): Huasifei WH3000R (NAND)
  • mediatek (filogic): JioRouter AX6000 (JIDU6101)
  • mediatek (filogic): netis EAP930 V1
  • mediatek (filogic): netis MEX605
  • mediatek (filogic): TP-Link F65 v1
  • mediatek (filogic): Zbtlink ZBT-Z8106AX-S
  • mvebu: Zyxel NAS326
  • ramips (mt76x8): Cudy WR300 v1
  • ramips (mt7621): I-O DATA WN-AX2033GR2

New image variants for already supported devices:

  • mediatek (filogic): Qihoo 360T7 - add UBI layout image
  • mediatek (filogic): Creatlentem CLT-R30B1 - add all-in-UBI layout image
  • mediatek (filogic): Bazis AX3000WM - also recognized under its alternative name WD-R3000N-G2A

Device fixes:

  • ath79: MikroTik - build AG71XX_LEGACY as a module, fixing AR8216/AR8236/AR8316 switch bring-up on boot on some MikroTik devices (#23739)
  • mediatek: do not let devfreq power off the CPU (stability fix)
  • mediatek (filogic): Wavlink WL-WN536AX6 rev A - several fixes (correct 5 GHz MAC address, MAC-address nvmem layout, NAND bad-block management, SPI drive strength, network LED)
  • mediatek (filogic): Qihoo 360T7 - fix DDR3 rate
  • ramips: PAX1800 Lite - fix label MAC device and avoid attaching both UBI partitions on boot
  • ramips (mt76x8): Cudy LT300 v3 - fix backup partition offset
  • rtl8367b: fix RTL8367S-VB VLAN multicast memory handling
  • mvebu: uDPU / eDPU - convert to dual (A/B) firmware
  • ipq806x: AP3935 - disable hibernation on LAN1
  • airoha (an7581): platform improvements and upstream networking fixes

WiFi fixes and improvements

  • wifi-scripts: fix a null dereference on 6 GHz-only radios
  • wifi-scripts: fix EAP (802.1X) station mode in the wpa_supplicant configuration generator
  • wifi-scripts: fix tracking of disabled virtual interfaces
  • hostapd: fix a misplaced radar-detected (DFS) ubus notification

Network and service improvements

  • New "network" LED trigger (lan/wan/wlan) for link and activity indication on supported devices
  • odhcpd and odhcp6c received many DHCPv6/DHCPv4 and IPv6 prefix-delegation correctness and robustness fixes, on top of the security fixes listed above, including more stable DHCPv6 IAID handling
  • More robust handling of invalid DHCP / DHCPv6 client identifiers
  • ubus, rpcd, uhttpd, umdns, uclient and fstools updated with stability and hardening fixes

Core component updates

  • Linux kernel: update from 6.12.87 to 6.12.94
  • OpenSSL: update from 3.5.6 to 3.5.7 (multiple security fixes, see above)
  • wireless-regdb: update from 2026.03.18 to 2026.05.30
  • dnsmasq: update from 2.91 to 2.93
  • ca-certificates: update from 20260223 to 20260601 (refreshed root CA bundle)
  • util-linux: update from 2.41.3 to 2.41.5

Upgrading to 25.12.5

Upgrading from 24.10 to 25.12 should be transparent on most devices, as most configuration data has either remained the same or will be translated correctly on first boot by the package init scripts.
For upgrades within the OpenWrt 25.12 stable series, Attended Sysupgrade is also supported, which allows preserving the installed packages.

  • Sysupgrade from 23.05 or earlier to 25.12 is not officially supported.

  • Cron log level was fixed in busybox. system.@system[0].cronloglevel should be set to 7 for normal logging. 7 is the default now. If this option is not set, the default is used and no manual action is needed. fc0c518

  • Bananapi BPI-R4: Interface eth1 was renamed to sfp-lan or lan4, and interface eth2 was renamed to sfp-wan to match the labels. You have to upgrade without saving the configuration. cd8dcfe

  • TP-Link RE355 v1, RE450 v1 and RE450 v2: The partition layout and block size changed in this release to fix configuration loss on sysupgrade. Users upgrading from OpenWrt 25.12.0 or earlier must use sysupgrade -F to force the upgrade. The image must not exceed 5.875 MB (6016 KiB).

  • Meraki MX60: Direct sysupgrade to 25.12.5 is not possible without manual preparation β€” meraki_loadaddr must be changed before upgrading, as the default value is insufficient to boot OpenWrt 25.12+. See the device wiki page for instructions.

  • Sitecom WLR-7100 (X7 AC1200): This device was moved from the ath79/generic target to the ath79/tiny target in OpenWrt 25.12.4. Users upgrading from 25.12.3 or earlier need to flash the new image from the ath79/tiny target (use sysupgrade -F).

Known issues

  • Zyxel EX5601-T0: the WAN interface was renamed from eth1 to wan β€” check and update your network configuration after upgrading.
  • Pixel 10 phones have problems connecting to WPA3-protected WiFi 6 APs. #21486
  • 802.11r Fast Transition (FT) causes connection problems with some WiFi clients when WPA3 is used. #22200
  • SQM CAKE MQ (cake_mq): throughput may be unexpectedly low on some configurations after the scheduler fixes in this release. #22344

Full release notes and upgrade instructions are available at
https://openwrt.org/releases/25.12/notes-25.12.5

In particular, make sure to read the known issues before upgrading:
https://openwrt.org/releases/25.12/notes-25.12.5#known_issues

For a detailed list of all changes, refer to
https://openwrt.org/releases/25.12/changelog-25.12.5

To download the 25.12.5 images, navigate to:
https://downloads.openwrt.org/releases/25.12.5/targets/
Use OpenWrt Firmware Selector to download:
https://firmware-selector.openwrt.org?version=25.12.5

As always, a big thank you goes to all our active package maintainers, testers, documenters and supporters.

Have fun!

The OpenWrt Community


To stay informed of new OpenWrt releases and security advisories, there
are new channels available:

  •  

Distribution Release: Kali Linux 2026.2

29 Juni 2026 om 18:52
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The Kali Linux project has released a new snapshot of the security- and forensics-focused distribution. The project's 2026.2 release includes several upgrades: "It's the final week of Q2, and Kali Linux 2026.2 is here - right on schedule. We have been heads down since our last release, and....
  •  

Distribution Release: Mageia 10

29 Juni 2026 om 12:41
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The Mageia project has released a new version, Mageia 10, which brings updates to the project's package management tools, welcome screen and CPU requirements. "We increase hardware requirements for 32bit systems, you will require a CPU with SSE2 features. You will find that extension for the packages and....
  •  

Distribution Release: Slackel 9.0 "MATE"

29 Juni 2026 om 03:44
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. Dimitris Tzemos has announced the release of Slackel 9.0 "MATE" edition, the latest version of the project's Slackware-based live Linux distribution featuring the MATE desktop: "Slackel MATE 9.0 is the latest major release branch of the Greek-developed Linux distribution, built on top of the Slackware 'Current' tree and....
  •  

DistroWatch Weekly, Issue 1179

29 Juni 2026 om 02:16
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. This week in DistroWatch Weekly:
Review: PCLinuxOS 2026.05
News: COSMIC gets a new system monitor, Xfce tests new Wayland compositor, FreeBSD developers invite questions
Questions and answers: Tips for switching between distributions
Released last week: SteamOS 3.8.10, KaOS 2026.06, Drauger OS 7.8, AnduinOS 2.0.0
Torrent corner: CachyOS
Opinion poll: Favourite release cycle?
Website news:....
  •  

Part-DB 2.13.0

Door: jbtronics
29 Juni 2026 om 00:35

Important

If you are using Part-DB it would be helpful if you fill out this short survey on your usage of Part-DB (Google Forms): https://forms.gle/Q15twx3YYq3qCNfe8

Part-DB 2.13.0

New features & Improvements

  • Improved password strength estimator and show time to crack estimate in tooltip
  • Use better library for alerts and dialogs, instead of the outdated bootbox
  • Improved page load error dialog
  • Added bootswatch*s brite theme as possible theme
  • Added Ollama as (local) AI provider
  • Allow to configure the timeout for AI providers, making it more suitable for slow local inference
  • Added full chinese translation (thannks @0x915)
  • Allow to edit info provider references in part edit form

Bug fixes

  • Fixed bug that stocktake date changed on part edit (#1390)

Other changes

  • Updated dependencies
  • Updated KiCad symbols
  • Fixed many deprecations

New Contributors

Full Changelog: v2.12.3...v2.13.0

  •  

Distribution Release: AnduinOS 2.0.0

28 Juni 2026 om 21:49
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. AnduinOS 2.0.0 has been released. AnduinOS is an Ubuntu-based Linux distribution featuring a GNOME desktop customised with a variety of extensions. This major new release brings extensive under-the-hood changes while maintaining the usability and customisability of the desktop. "Today, AIURSOFT Limited is announcing the general availability of AnduinOS....
  •  

v1.7.6 - Crypto Plugin API & Privileged Plugin Tier, S/MIME as a Plugin, Hide Folder Counts & Structured MFA Login

Door: rathlinus
28 Juni 2026 om 20:51

1.7.6 (2026-06-28)

Breaking Changes

  • S/MIME: The built-in S/MIME implementation has been removed from core and re-delivered through the new generic crypto plugin hooks (privileged same-origin plugin tier). S/MIME signing, encryption, decryption, certificate management, and the related settings UI now live in a plugin rather than the main app. Deployments that relied on built-in S/MIME must install the S/MIME crypto plugin to retain those features.

Thank you for your donations:

One-time

  • Anonymous

Monthly

Features

  • Plugins: Privileged same-origin plugin tier with a crypto API surface
  • Plugins: Plugin hooks for email details, headers, and source
  • Mail: Option to hide the total message count on folders (#498)

Fixes

  • Mail: Hide the server scheduled folder when the virtual one is shown (#495)
  • Mail: Stop the unified mailbox from mutating client-returned email objects
  • Composer: HTML-escape sender and subject in the reply/forward quote header (#482)
  • Calendar: Send calendar invites by setting organizerCalendarAddress
  • Identity: Sync the default identity (preferredPrimaryId) to server settings (#507)
  • Auth: Support MFA login via the structured auth endpoint
  • Admin: Show all built-in themes in the admin theme controls (#496)
  • i18n: Add missing translation keys across 19 locales

  •  

Release 2026.06.28

28 Juni 2026 om 20:23

Docker Images

Docker images have been built and pushed:

Docker Hub:

  • alexta69/metube:latest
  • alexta69/metube:2026.06.28

GitHub Container Registry:

  • ghcr.io/alexta69/metube:latest
  • ghcr.io/alexta69/metube:2026.06.28

Changes

  • upgrade to Angular 22 (51fd203)
  • upgrade dependencies (d136344)
  • Bump actions/checkout from 6 to 7 in the github-actions group (33f1412)

  •  

12.0 RC2

30 Juni 2026 om 03:41

πŸš€ Jellyfin Web 12.0 RC2

We are pleased to announce the second release candidate preview release of Jellyfin 12.0!

This is a preview release, intended for those interested in testing 12.0 before it's final public release. We welcome testers to help find as many bugs as we can before the final release.

As always, please ensure you stop your Jellyfin server and take a full backup before upgrading!

A note about versioning

Starting with this release, we are dropping the preceding 10. from our versioning. Thus, 10.11.x -> [10.]12.x = 12.x. The reason is simple: at this point in the project, we don't envision a hard break in the API like we planned way back in the early days, and this version scheme was causing a lot of confusion amongst users about what a "major" release was. For more information, please see the RC1 release notes.

What's new?

The main goal of this release has been performance. 10.11.0 dropped a major backend rewrite, and while it was broadly functional, it had a lot of rough edges. This release seeks to polish out most of those rough edges and bring better performance to all users.

There are many other small fixes, improvements, changes, and translations. See our draft release notes here or below for the full list of pull requests. You can also view the Server side changelog here.

Note: You must be on Jellyfin 10.10.7+ or 10.11.x (ideally, 10.11.11) before upgrading! If you are not, the upgrade will fail. Ensure you upgrade to one of these versions first!

Note: The initial load of Jellyfin 12.x will run a few migrations and will take several minutes. Please be patient and do not interrupt the process. You can leverage the (newly improved!) startup UI on your local network to see specific progress, or off-network to see general progress, by visiting the server URL in your web browser during startup.

Note: If you install the RC, you should disable all external plugins and reinstall using the unstable plugin repository, or plugins may fail to load and cause unintended side effects.

Installing

This preview release is distributed in all our traditional forms, though not automatically via our Apt repository or latest tag.

  • For all non-Docker environments, you can find the files for manual download in our repository by selecting "Stable Preview" for your OS.
  • For Docker, you can pull the 12.0-rc2 or preview tags.

What's Changed (since v12.0-rc1)

Full Changelog: v12.0-rc1...v12.0-rc2

  •  

12.0 RC2

30 Juni 2026 om 04:44

πŸš€ Jellyfin Server 12.0 RC2

We are pleased to announce the second release candidate preview release of Jellyfin 12.0!

This is a preview release, intended for those interested in testing 12.0 before its final public release. We welcome testers to help find as many bugs as we can before the final release.

As always, please ensure you stop your Jellyfin server and take a full backup before upgrading!

A note about versioning

Starting with this release, we are dropping the preceding 10. from our versioning. Thus, 10.11.x -> [10.]12.x = 12.x. The reason is simple: at this point in the project, we don't envision a hard break in the API like we planned way back in the early days, and this version scheme was causing a lot of confusion amongst users about what a "major" release was. For more information, please see the RC1 release notes.

What's new?

The main goal of this release has been performance. 10.11.0 dropped a major backend rewrite, and while it was broadly functional, it had a lot of rough edges. This release seeks to polish out most of those rough edges and bring better performance to all users.

There are many other small fixes, improvements, changes, and translations. See our draft release notes here or below for the full list of pull requests. You can also view the Web side changelog here.

Note: You must be on Jellyfin 10.10.7+ or 10.11.x (ideally, 10.11.11) before upgrading! If you are not, the upgrade will fail. Ensure you upgrade to one of these versions first!

Note: The initial load of Jellyfin 12.x will run a few migrations and will take several minutes. Please be patient and do not interrupt the process. You can leverage the (newly improved!) startup UI on your local network to see specific progress, or off-network to see general progress, by visiting the server URL in your web browser during startup.

Note: If you install the RC, you should disable all external plugins and reinstall using the unstable plugin repository, or plugins may fail to load and cause unintended side effects.

Installing

This preview release is distributed in all our traditional forms, though not automatically via our Apt repository or latest tag.

  • For all non-Docker environments, you can find the files for manual download in our repository by selecting "Stable Preview" for your OS.
  • For Docker, you can pull the 12.0-rc2 or preview tags.

What's Changed (since v12.0-rc1)

New Contributors

Full Changelog: v12.0-rc1...v12.0-rc2

  •  

Distribution Release: Drauger OS 7.8

28 Juni 2026 om 13:48
The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The developer of Drauger OS, an Ubuntu-based distribution with optimizations designed to improve gaming performance and experience on Linux, has announced the release of a major new version, 7.8, now based on Ubuntu 26.04 LTS: "I am proud to announce the stable release of Drauger OS 7.8, codename....
  •  

v1.19.2

28 Juni 2026 om 12:55

Fixes and improvements

General

  • playback: fix panic when MP4 muxer flushes with no samples (#5867)
  • redact sensitive headers in HTTP debug logs (#5873)
  • fix(recordstore): decode timezone offset minutes correctly (#5884)
  • improve HTTP server performance (#5886) log incoming requests without cloning.
  • prevent truncation of 64-bit values on 32-bit platforms (#5902)

RTSP

WebRTC

  • skip unresolvable webrtcAdditionalHosts entries instead of aborting (#5845)

RPI Camera

  • support encoding primary stream with MJPEG (2/2) (#5892)
  • support encoding secondary stream with H264 (2/2) (#4485) (#5898)
  • add unified rpiCameraH264Profile, rpiCameraH264Level params (#5894) These replace rpiCameraHardwareH264Profile, rpiCameraHardwareH264Level, rpiCameraSoftwareH264Profile, rpiCameraSoftwareH264Level.
  • fix race condition that prevents decoding the stream (bluenviron/mediamtx-rpicamera#109) (#5861) When a player immediately connects to a newly-created stream, SPS/PPS might not be available, neither in the SDP and neither in-band. Prevent the issue by always sending SPS/PPS in-band.
  • improve performance by computing frame size once (bluenviron/mediamtx-rpicamera#111)
  • fix wrong timestamp being passed to openh264 (bluenviron/mediamtx-rpicamera#114)

Dependencies

  • code.cloudfoundry.org/bytefmt updated from v0.76.0 to v0.78.0
  • github.com/abema/go-mp4 updated from v1.6.0 to v1.7.1
  • github.com/bluenviron/gortsplib/v5 updated from v5.6.0 to v5.6.1
  • github.com/bluenviron/mediacommon/v2 updated from v2.9.0 to v2.9.1
  • github.com/matthewhartstonge/argon2 updated from v1.5.4 to v1.5.5
  • github.com/pion/sdp/v3 updated from v3.0.18 to v3.0.19
  • github.com/quic-go/webtransport-go updated from v0.10.0 to v0.11.0
  • github.com/pion/srtp/v3 updated from v3.0.11 to v3.0.12
  • github.com/bluenviron/mediamtx-rpicamera updated from v2.6.0 to v2.8.0

Security

Binaries are compiled from source code by the Release workflow, which is a fully-visible process that prevents any change or external interference in produced artifacts.

Checksums of binaries are also published in a public blockchain by using GitHub Attestations, and they can be verified by running:

ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx

You can verify checksums of binaries by downloading checksums.sha256 and running:

cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check

  •  
❌