Security audit closes backlog of vulnerabilities

A full-stack security audit has closed a backlog of vulnerabilities. Highlights include a command-injection fix in the backup-restore endpoint (CWE-78), JWT-library patches for three CVEs (algorithm confusion, JWT bomb, JWE decompression DoS), and web-framework updates closing Server Components RCE and DoS (CVE-2025-55182, CVE-2026-23864) plus a syntax-highlighter XSS (CVE-2024-53382).

Defense-in-depth additions include webhook SSRF protection, HMAC-signed audit-log exports, sanitized admin email-template previews, OIDC redirect validation, autoescaped email templates, and a strict Content-Security-Policy on every response. Self-hosted deployments now refuse to start if the application secrets or database password match the bundled placeholders. Kubernetes manifests enforce the restricted Pod Security Standards tier with default-deny network policies and dedicated service accounts.

SaaS tenants are already patched. Customers running 1.8.x in production should upgrade to v1.9.0 or later.