www.pscaluminium.com

Path : /proc/thread-self/root/proc/thread-self/root/var/softaculous/owncloud/
Current File : //proc/thread-self/root/proc/thread-self/root/var/softaculous/owncloud/changelog.txt
Changelog for ownCloud Core 10.16.3 (2026-05-22)

The following sections list the changes in ownCloud core 10.16.3 relevant to ownCloud admins and users.
Summary

    Security - Update phpseclib to 3.0.52 for CVE-2026-40194: #41529
    Security - Restrict AppConfigController read methods to full admins only: #41550
    Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: #41559
    Bugfix - Prevent mounting local storage if not allowed: #41538
    Bugfix - Use the correct user ID when changing email via admin API: #41539
    Bugfix - Prevent IDOR in WebDAV comments API: #41558

Details

    Security - Update phpseclib to 3.0.52 for CVE-2026-40194: #41529

    CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing. Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.

    https://github.com/owncloud/core/pull/41529 https://github.com/owncloud/core/pull/41541 https://github.com/phpseclib/phpseclib/releases/tag/3.0.51

    Security - Restrict AppConfigController read methods to full admins only: #41550

    Subadmin users could read all oc_appconfig values including SMTP passwords, LDAP bind credentials, and encryption master keys via the Settings API. Removed @NoAdminRequired from getApps, getKeys, and getValue so that the AdminMiddleware enforces full-admin-only access, consistent with the write methods.

    https://github.com/owncloud/core/pull/41550

    Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: #41559

    CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex alternation allowing off-site URL injection. Upgraded symfony/routing from 5.4.48 to 5.4.52.

    https://github.com/owncloud/core/pull/41559 https://symfony.com/cve-2026-45065

    Bugfix - Prevent mounting local storage if not allowed: #41538

    Mounting a local storage was possible if the internal class name was used as backend, despite local storage not allowed to be mounted. This problem is fixed and the local storage can't be mounted if it was explicitly disallowed in the configuration.

    https://github.com/owncloud/core/pull/41538

    Bugfix - Use the correct user ID when changing email via admin API: #41539

    The admin API endpoint for changing a user's email address was incorrectly using the requesting admin's user ID instead of the target user's ID, causing the admin's email to be updated rather than the intended user's.

    https://github.com/owncloud/core/pull/41539

    Bugfix - Prevent IDOR in WebDAV comments API: #41558

    Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.

    https://github.com/owncloud/core/pull/41558


Changelog for ownCloud Core 10.16.1 (2026-02-18)

The following sections list the changes in ownCloud core 10.16.1 relevant to ownCloud admins and users.
Summary

    Bugfix - Apply SVG sanitization to all file content before using ImageMagick: #41433
    Bugfix - Disallow empty tokens when pairing trusted servers: #41434
    Change - Update PHP dependencies: #41408
    Enhancement - Add mimetype aliases/mapping for .toml and .ovpn: #41431

Details

    Bugfix - Apply SVG sanitization to all file content before using ImageMagick: #41433

    Any file content is now sanitized for SVG threats before being processed by ImageMagick, preventing potential security vulnerabilities.

    https://github.com/owncloud/core/pull/41433

    Bugfix - Disallow empty tokens when pairing trusted servers: #41434

    An empty token could be used to pair trusted servers, which is not secure.

    https://github.com/owncloud/core/pull/41434

    Change - Update PHP dependencies: #41408

    The following have been updated: - monolog/monolog (2.10.0 to 2.11.0) - pear/pear-core-minimal (v1.10.16 to v1.10.18) - phpseclib/phpseclib (3.0.47 to 3.0.48) - phpseclib/phpseclib (3.0.46 to 3.0.49) - pimple/pimple (3.5.0 to 3.6.0) - sabre/http (5.1.12 to 5.1.13) - sabre/vobject (4.5.7 to 4.5.8) - symfony/process (5.4.47 to 5.4.51) - theseer/tokenizer (1.2.3 to 1.3.1)

    https://github.com/owncloud/core/pull/41408 https://github.com/owncloud/core/pull/41421 https://github.com/owncloud/core/pull/41446

    Enhancement - Add mimetype aliases/mapping for .toml and .ovpn: #41431

    Mimetype aliases and mapping for .toml and .ovpn files got added.

    https://github.com/owncloud/core/pull/41431