* CVE-2026-46445: A SQL injection vulnerability when PostgreSQL is
used as the user database.
* CVE-2026-46446: Address a SQL injection vulnerability when MariaDB
or PostgreSQL is used as the user database and passwords are
stored in cleartext.
* CVE-2025-71276: Fix a A Cross-Site Scripting (XSS) vulnerability in
events, tasks and contacts categories.
* CVE-2026-33550: Address a number of Time-Based One-Time Passwords
(TOTP) vulnerabilities, including if a user disables/enables TOTP,
various values not being renewed, and an issue around recommended
TOTP lengths.
* CVE-2026-8496: Fix an issue where a maliciously crafted .ICS
calendar invitation file allowed arbitrary JavaScript execution
within an authenticated webmail session.
* CVE-2026-8851: Fix an SQL injection vulnerability in the access
control list management functionality, which could have allowed
authenticated users to extract arbitrary data from the database by
injecting SQL subqueries through the "uid" parameter of the
Get the latest Linux and open source security news straight to your inbox.