11# Table of Contents
22
33* [Changelog for unreleased](#changelog-for-owncloud-core-unreleased-unreleased)
4+ * [Changelog for 10.16.3](#changelog-for-owncloud-core-10163-2026-05-22)
45* [Changelog for 10.16.2](#changelog-for-owncloud-core-10162-2026-04-02)
56* [Changelog for 10.16.1](#changelog-for-owncloud-core-10161-2026-02-18)
67* [Changelog for 10.16.0](#changelog-for-owncloud-core-10160-2025-10-23)
2829* [Changelog for 10.4.1](#changelog-for-owncloud-core-1041-2020-03-30)
2930* [Changelog for 10.4.0](#changelog-for-owncloud-core-1040-2020-02-10)
3031* [Changelog for 10.3.2](#changelog-for-owncloud-core-1032-2019-12-04)
31-
3232# Changelog for ownCloud Core [unreleased] (UNRELEASED)
3333
3434The following sections list the changes in ownCloud core unreleased relevant to
3535ownCloud admins and users.
3636
37- [unreleased]: https://github.com/owncloud/core/compare/v10.16.1 ...master
37+ [unreleased]: https://github.com/owncloud/core/compare/v10.16.3 ...master
3838
3939## Summary
4040
@@ -43,6 +43,7 @@ ownCloud admins and users.
4343* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
4444* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
4545* Change - Removed legacy and deprecated code from ownCloud 11: [#41455](https://github.com/owncloud/core/pull/41455)
46+ * Change - Use configurable URL for internet connectivity check: [#41506](https://github.com/owncloud/core/pull/41506)
4647
4748## Details
4849
@@ -61,12 +62,19 @@ ownCloud admins and users.
6162* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
6263
6364 The following have been updated: - doctrine/dbal (2.13.9 to 3.10.4) -
64- google/auth (v1.50.0 to v1.50.1) - guzzlehttp/psr7 (2.8.0 to 2.9.0) -
65- phpseclib/phpseclib (3.0.49 to 3.0.50) - pimple/pimple (3.6.1 to 3.6.2)
65+ google/apiclient (v2.19.0 to v2.19.3) - google/apiclient-services (v0.435.0 to
66+ v0.441.1) - google/auth (v1.50.0 to v1.50.1) - guzzlehttp/psr7 (2.8.0 to 2.10.4)
67+ - guzzlehttp/guzzle (7.10.0 to 7.10.5) - guzzlehttp/promises (2.3.0 to 2.4.1) -
68+ laravel/serializable-closure (v2.0.10 to v2.0.13) - phpseclib/phpseclib (3.0.49
69+ to 3.0.50) - pimple/pimple (3.6.1 to 3.6.2) - symfony/deprecation-contracts
70+ (v3.6.0 to v3.7.0) - symfony/mailer (v7.4.6 to v7.4.12)
6671
6772 https://github.com/owncloud/core/pull/41450
6873 https://github.com/owncloud/core/pull/41477
6974 https://github.com/owncloud/core/pull/41495
75+ https://github.com/owncloud/core/pull/41561
76+ https://github.com/owncloud/core/pull/41564
77+ https://github.com/owncloud/core/pull/41569
7078
7179* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
7280
@@ -88,6 +96,86 @@ ownCloud admins and users.
8896 https://github.com/owncloud/core/pull/41464
8997 https://github.com/owncloud/core/pull/41468
9098
99+ * Change - Use configurable URL for internet connectivity check: [#41506](https://github.com/owncloud/core/pull/41506)
100+
101+ Default URL is now configurable and the default is set to an independent
102+ resource: https://detectportal.firefox.com/success.txt This also provides an
103+ IPv6 compatible URL.
104+
105+ https://github.com/owncloud/core/issues/41465
106+ https://github.com/owncloud/core/pull/41506
107+
108+ # Changelog for ownCloud Core [10.16.3] (2026-05-22)
109+
110+ The following sections list the changes in ownCloud core 10.16.3 relevant to
111+ ownCloud admins and users.
112+
113+ [10.16.3]: https://github.com/owncloud/core/compare/v10.16.2...v10.16.3
114+
115+ ## Summary
116+
117+ * Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
118+ * Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
119+ * Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
120+ * Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
121+ * Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
122+ * Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
123+
124+ ## Details
125+
126+ * Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
127+
128+ CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing.
129+ Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
130+
131+ https://github.com/owncloud/core/pull/41529
132+ https://github.com/owncloud/core/pull/41541
133+ https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
134+
135+ * Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
136+
137+ Subadmin users could read all oc_appconfig values including SMTP passwords, LDAP
138+ bind credentials, and encryption master keys via the Settings API. Removed
139+ @NoAdminRequired from getApps, getKeys, and getValue so that the AdminMiddleware
140+ enforces full-admin-only access, consistent with the write methods.
141+
142+ https://github.com/owncloud/core/pull/41550
143+
144+ * Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
145+
146+ CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex
147+ alternation allowing off-site URL injection. Upgraded symfony/routing from
148+ 5.4.48 to 5.4.52.
149+
150+ https://github.com/owncloud/core/pull/41559
151+ https://symfony.com/cve-2026-45065
152+
153+ * Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
154+
155+ Mounting a local storage was possible if the internal class name was used as
156+ backend, despite local storage not allowed to be mounted. This problem is fixed
157+ and the local storage can't be mounted if it was explicitly disallowed in the
158+ configuration.
159+
160+ https://github.com/owncloud/core/pull/41538
161+
162+ * Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
163+
164+ The admin API endpoint for changing a user's email address was incorrectly using
165+ the requesting admin's user ID instead of the target user's ID, causing the
166+ admin's email to be updated rather than the intended user's.
167+
168+ https://github.com/owncloud/core/pull/41539
169+
170+ * Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
171+
172+ Authenticated users could read, edit, or delete comments on files they have no
173+ access to by supplying an arbitrary comment ID in the WebDAV comments endpoint.
174+ The fix verifies that a requested comment belongs to the file in the URL before
175+ returning it.
176+
177+ https://github.com/owncloud/core/pull/41558
178+
91179# Changelog for ownCloud Core [10.16.2] (2026-04-02)
92180
93181The following sections list the changes in ownCloud core 10.16.2 relevant to
0 commit comments