9.9.1-alpha.6

9.9.1-alpha.6 (2026-06-03)

Bug Fixes

• Relation $relatedTo query bypasses protectedFields and owning-object ACL (GHSA-wmwx-jr2p-4j4r) (#10493) (43658f1)

9.9.1-alpha.5

9.9.1-alpha.5 (2026-06-03)

Bug Fixes

• Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when _User get is denied (GHSA-75v4-m273-5j49) (#10492) (83e90ed)

8.6.80

8.6.80 (2026-06-03)

Bug Fixes

• Relation $relatedTo query bypasses protectedFields and owning-object ACL (GHSA-wmwx-jr2p-4j4r) (#10494) (efef11b)

9.9.1-alpha.4

9.9.1-alpha.4 (2026-06-01)

Bug Fixes

• Stored XSS via trailing-dot filename bypassing file upload extension blocklist (GHSA-7wqv-xjf3-x35v) (#10489) (66484ce)

8.6.79

8.6.79 (2026-06-01)

Bug Fixes

• Stored XSS via trailing-dot filename bypassing file upload extension blocklist (GHSA-7wqv-xjf3-x35v) (#10490) (9e99279)

9.9.1-alpha.3

9.9.1-alpha.3 (2026-05-27)

Bug Fixes

• Server option routeAllowList is bypassable through batch sub-requests (GHSA-p84r-h6rx-f2xr) (#10482) (552c6dd)

9.9.1-alpha.2

9.9.1-alpha.2 (2026-05-18)

Bug Fixes

• GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj) (#10467) (155123a)

8.6.78

8.6.78 (2026-05-18)

Bug Fixes

• GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj) (#10468) (a0ddb85)

9.9.1-alpha.1

9.9.1-alpha.1 (2026-05-17)

Bug Fixes

• Pre-authentication denial of service via client version header regex backtracking (GHSA-38m6-82c8-4xfm) (#10463) (56c159e)

8.6.77

8.6.77 (2026-05-17)

Bug Fixes

• Pre-authentication denial of service via client version header regex backtracking (GHSA-38m6-82c8-4xfm) (#10464) (8523425)