Fixes

• Fixed the upgrade modal to show the correct target version and cleared stale upgrade notifications when the instance was already up to date. (#7774, fixes #6039, #8707)
• Fixed user deletion cleanup so team-owned Git app sources were handled safely, while instance-wide sources were preserved for the root team. (#9435, fixes #8172)
• Fixed dashboard homepage add buttons so they remained visible in light mode. (#9456, fixes #9454)
• Fixed port mapping validation to accept protocol suffixes like /tcp, /udp, /sctp and IP-bound mappings. (#9503, fixes #9501, #9504)

Improvements

• Updated phpseclib/phpseclib to 3.0.51. (#9500)
• Updated axios to 1.15.0 for development dependencies. (#9515)
• Updated axios to 1.15.0 in coolify-realtime. (#9516)

What's Changed (Github)

• fix(ui): Initialize latestVersion in Upgrade component mount by @andrasbacsai in #7774
• fix(user-deletion): safely clean up team-owned Git app sources by @andrasbacsai in #9435
• fix(ui): dashboard homepage add buttons are invisible in light mode by @rosslh in #9456
• fix(validation): allow protocol suffix and ip in port mappings (/tcp, /udp, /sctp) by @ShadowArcanist in #9503
• build(deps): bump phpseclib/phpseclib from 3.0.50 to 3.0.51 by @dependabot[bot] in #9500
• build(deps-dev): bump axios from 1.13.2 to 1.15.0 by @dependabot[bot] in #9515
• build(deps): bump axios from 1.13.6 to 1.15.0 in /docker/coolify-realtime by @dependabot[bot] in #9516
• v4.0.0-beta.473 by @andrasbacsai in #9521

New Contributors

• @rosslh made their first contribution in #9456

Full Changelog: v4.0.0-beta.472...v4.0.0-beta.473

What's Changed

Security & Fixes

• Allow quoted arguments in custom Docker run options (#9481, fixes #9343)
• Patched Alpine packages in helper, realtime, and development Docker images (#9437)
• Bumped Alexandrie images to address upstream security advisory (#9434)

New Services & Templates

• Added Grimmory one-click service, the successor to Booklore (#9109)
• Comprehensive Supabase template update to latest versions (#8316)
• Allow overriding GOTRUE_SITE_URL in Supabase for separate frontend domains (#9079, fixes #5581)
• Added sensible CORS defaults to Directus templates (#9081, fixes #5024)
• Updated Rivet template to v2.2.0 (#9378)
• Updated Convex to current latest version (#9392)
• Fixed LibreChat healthcheck and upgraded Meilisearch image (#9358)
• Fixed n8n task-runners health check (#9309, fixes #9306)
• Increased Nextcloud healthcheck interval to prevent worker exhaustion (#9440, fixes #9439)
• Updated Nextcloud healthcheck endpoint to /status.php (#9470)
• Fixed Netbird client volume path so settings persist across restarts (#9484)
• Corrected Minecraft template category to games (#9387)
• Corrected several template categories that were set incorrectly (#9449)

Improvements

• Removed Algora bounty program references from community docs and templates (#9436)

What's Changed (Github)

• fix(services): bump images of alexandrie to fix security issue by @Smaug6739 in #9434
• feat(service): update Convex to current latest version by @sebous in #9392
• fix(template): Minecraft was on wrong category by @Iisyourdad in #9387
• feat(service): update Rivet to v2.2.0 by @yipfram in #9378
• fix(service): fix librechat healthcheck and update dependencies by @GauthierPLM in #9358
• fix(service): n8n task-runners health check fails by @frank-netkey in #9309
• feat(service): add grimmory by @RickyWanga in #9109
• fix(service): directus cors not applied in preflight requests by @xidik12 in #9081
• feat(service): update Supabase to current latest versions by @Vadko in #8316
• fix(service): allow overriding GOTRUE_SITE_URL in Supabase template by @xidik12 in #9079
• fix(service): nextcloud workers exhaustion due to low interval healthcheck by @ShadowArcanist in #9440
• fix(docker): add apk upgrade to helper, realtime, and development Dockerfiles by @andrasbacsai in #9437
• chore(community): remove Algora bounty program references by @andrasbacsai in #9436
• chore(service): update nextcloud healthcheck endpoint by @ShadowArcanist in #9470
• fix(validation): allow quoted docker run options in custom config by @andrasbacsai in #9481
• build(deps-dev): bump vite from 7.3.0 to 7.3.2 by @dependabot[bot] in #9457
• fix(service): Several templates on wrong catagory. by @Iisyourdad in #9449
• fix(service): netbird-client wrong volume path by @iamimmanuelraj in #9484
• v4.0.0-beta.472 by @andrasbacsai in #9492

New Contributors

• @sebous made their first contribution in #9392
• @Iisyourdad made their first contribution in #9387
• @frank-netkey made their first contribution in #9309
• @RickyWanga made their first contribution in #9109
• @iamimmanuelraj made their first contribution in #9484

Full Changelog: v4.0.0-beta.471...v4.0.0-beta.472

What's Changed

Security & Fixes

• Harden model mass assignment protection across all models (#9282)
• Scope server and project queries to current team (#9230)
• Harden GetLogs component with locked properties and input validation (#9229)
• Add validation and escaping for Docker network names (#9228)
• Add URL validation for notification webhook fields (#9224)
• Use server-side config for password reset URL generation (#9193)
• Add input validation for install/build/start command fields (#9227)
• Add input validation for resource limit fields (#9238)
• Add IP validation for custom DNS servers input (#9239)
• Add URL validation for proxy redirect input (#9241)
• Add input validation for server advanced settings page (#9242)
• Add input validation for sentinel configuration (#9243)
• Add input validation for database backup timeout (#9245)
• Add input validation for emails configuration (#9259)
• Add input validation for database public port and proxy timeout
• Add validation to block unsafe webhook URLs
• Use random_int() for email change verification codes (#9226)
• Move admin route into middleware group (#9225)
• Enforce team-scoped project/env lookups in onboarding
• Add input validation for port exposes and port mappings fields

New Services & Templates

• Added ElectricSQL template (#8190)

Fixes

• Fix intermittent pre-deployment command failures (#9165, fixes #9076)
• Fix Grafana GF_SERVER_DOMAIN using FQDN instead of URL (#9080, fixes #5307)
• Fix listmonk db config env typo (#9250)
• Fix Langfuse by pinning ClickHouse version to avoid init errors
• Fix cloning persistent volumes with missing uuid (#9290, fixes #9270)
• Fix redirect value not persisting in setRedirect (#9279)
• Fix cloud subscription notification links (#9296)
• Fix slash branches in public repo URLs
• Fix shared env vars resolving on wrong server
• Fix database SSL/status state and clone writes
• Fix auto-generate missing CA cert on SSL regeneration
• Fix backup notification failures affecting backup status (fixes #9088)
• Fix backup retention enforcement and stale execution cleanup
• Fix password visibility toggle using Alpine state
• Fix GitHub branch state when refreshing repositories

Improvements

• Shared server environment variables (#7764)
• Refresh repos on private GitHub app (#8621)
• Support Docker image tags for preview deployments
• Add preserve repository option to deployment API (#8371)
• Implement exponential backoff for unreachable servers (#9184)
• Improve scheduled task single view UX (#9266)
• Add two-step confirmation to enable self-registration (#9277)
• Add public port timeout configuration for databases
• Make textarea monospace opt-in and improve multiline toggle

What's Changed (Github)

• fix(backup): prevent notification failures from affecting backup status by @andrasbacsai in #9162
• fix(preview-env): ensure auto-created preview env vars inherit runtime/buildtime flags by @andrasbacsai in #9164
• fix(api): validate server ownership in domains endpoint and scope activity lookups by @andrasbacsai in #9166
• fix(backup): validate MongoDB collection names in backup input by @andrasbacsai in #9168
• fix(terminal): apply authorization middleware to terminal bootstrap routes by @andrasbacsai in #9169
• fix(livewire): add Locked attributes and consolidate container name validation by @andrasbacsai in #9171
• fix(livewire): add input validation to unmanaged container operations by @andrasbacsai in #9172
• feat(deployment): add command_hidden flag to hide command text in logs by @andrasbacsai in #9167
• fix(deployment): normalize whitespace in pre/post deployment commands by @andrasbacsai in #9173
• fix(storage): consistent path validation and escaping for file volumes by @andrasbacsai in #9176
• fix(backup): use escapeshellarg for credentials in backup commands by @andrasbacsai in #9175
• fix(storage): use escapeshellarg for volume names in shell commands by @andrasbacsai in #9185
• refactor: simplify remote process chain and harden ActivityMonitor by @andrasbacsai in #9189
• Add URL validation for GitHub source fields by @andrasbacsai in #9190
• refactor: split invitation endpoint into GET/POST flow by @andrasbacsai in #9192
• fix: sanitize error output in server validation logs by @andrasbacsai in #9197
• fix: use server-side config for password reset URL generation by @andrasbacsai in #9193
• refactor: move admin route into middleware group by @andrasbacsai in #9225
• Add URL validation for notification webhook fields by @andrasbacsai in #9224
• refactor: use random_int() for email change verification codes by @andrasbacsai in #9226
• fix: add input validation for install/build/start command fields by @andrasbacsai in #9227
• refactor: scope server and project queries to current team by @andrasbacsai in #9230
• fix: add validation and escaping for Docker network names by @andrasbacsai in #9228
• fix(application): persist redirect value in setRedirect by @andrasbacsai in #9279
• fix: harden GetLogs Livewire component properties by @andrasbacsai in #9229
• feat(api): Add support for Preserve Repository During Deployment in API by @ahmadw13 in #8371
• fix(clone): exclude uuid when replicating persistent volumes by @andrasbacsai in #9290
• fix(notification): updated cloud subscription links to valid url by @ShadowArcanist in #9296
• feat(ui): add two step confirmation to enable self registration by @ShadowArcanist in #9277
• fix(service): listmonk db config env typo by @mxswd in #9250
• fix(service): pin clickhouse version on Langfuse service to avoid error during clickhouse init by @GauthierPLM in #9236
• fix(service): use FQDN instead of URL for Grafana GF_SERVER_DOMAIN by @xidik12 in #9080
• feat(service): Add ElectricSQL by @matfire in #8190
• refactor: define explicit fillable attributes on all Eloquent models by @andrasbacsai in #9282
• fix(validation): add input validation for database public port and proxy timeout by @ShadowArcanist in #9272
• feat(ui): improve schedule task single view for better UX by @ShadowArcanist in #9266
• fix(validation): add input validation for emails configuration by @ShadowArcanist in #9259
• fix(validation): add input validation for database backup timeout by @ShadowArcanist in #9245
• fix(validation): add input validation for sentinel configuration by @ShadowArcanist in #9243
• fix(validation): add input validation for server advanced settings page by @ShadowArcanist in #9242
• fix(validation): add URL validation for proxy redirect input by @ShadowArcanist in #9241
• fix(validation): add input validation for port exposes and port mappings fields by @ShadowArcanist in #9240
• fix(validation): add IP validation for custom DNS servers input by @ShadowArcanist in #9239
• fix(validation): add input validation for resource limit fields by @ShadowArcanist in #9238
• feat: refresh repos on private github app by @adiologydev in #8621
• feat: Shared server environment variables by @ShadowArcanist in #7764
• chore(deps): bump aws/aws-sdk-php from 3.371.3 to 3.374.2 by @dependabot[bot] in #9222
• chore(deps): bump picomatch by @dependabot[bot] in #9178
• build(deps): bump league/commonmark from 2.8.1 to 2.8.2 by @dependabot[bot] in #9047
• build(deps): bump phpseclib/phpseclib from 3.0.49 to 3.0.50 by @dependabot[bot] in #9044
• feat(jobs): implement exponential backoff for unreachable servers by @andrasbacsai in #9184
• fix(deployment): resolve intermittent pre-deployment command failures by @andrasbacsai in #9165
• v4.0.0-beta.471 by @andrasbacsai in #9206

New Contributors

• @mxswd made their first contribution in #9250
• @Xidik...

What's Changed

Security & Fixes

• Fixed proxy config validation to ensure stored config matches the current proxy type (#9146, fixes #9127)
• Fixed environment variables being incorrectly resolved in compose files instead of preserving ${VAR} references (#9147, fixes #9136)
• Fixed deployment issues with shell argument escaping in nixpacks commands (#9122, fixes #9042)
• Fixed GitHub webhook errors for unsupported event types (#9119, fixes #9090)
• Fixed server limit checks when using API tokens (#9123, fixes #9116)
• Fixed hostname validation to be case-insensitive and allow more characters (#9134, fixes #9131)
• Fixed duplicate subscription creation
• Fixed environment variable refresh when variables are missing or stale
• Fixed Docker cleanup logging when server is unreachable

New Services & Templates

• Added EspoCRM one-click service template (#8658)

Improvements

• Improved mobile responsiveness for confirmation modals
• Simplified Docker installation process
• Added storage API endpoints with UUID support for databases and services
• Added Nightwatch monitoring support
• Disabled Booklore service template (#9105)
• Bumped Sentinel and Traefik versions

What's Changed (Github)

• fix(github-webhook): handle unsupported event types gracefully by @andrasbacsai in #9119
• fix(deployment): properly escape shell arguments in nixpacks commands by @andrasbacsai in #9122
• fix(validation): make hostname validation case-insensitive and expand allowed name characters by @andrasbacsai in #9134
• fix(team): resolve server limit checks for API token authentication by @andrasbacsai in #9123
• chore(service): disable Booklore service by @Cinzya in #9105
• Add EspoCRM, provided by the official team by @tmachyshyn in #8658
• fix(parsers): preserve ${VAR} references in compose instead of resolving to DB values by @andrasbacsai in #9147
• fix(proxy): validate stored config matches proxy type by @andrasbacsai in #9146
• v4.0.0-beta.470 by @andrasbacsai in #9139

New Contributors

• @tmachyshyn made their first contribution in #8658

Full Changelog: v4.0.0-beta.469...v4.0.0-beta.470

What's Changed

Security & Fixes

• Fixed sporadic SSH "permission denied" errors during key rotation (#8990, fixes #7724)
• Fixed deployment failures when build server is enabled during restart operations (#9045, fixes #9013)
• Fixed breadcrumb queries causing out-of-memory crashes (#9048, fixes #9009)
• Fixed GitHub App webhook endpoint defaulting to IPv4 instead of instance domain (#8948)
• Fixed Hoppscotch service failing to start due to database health check (#8949)
• Fixed Docker Compose not respecting preserveRepository for project directory (#8956, fixes #8953)
• Fixed backup error when S3 storage is missing or deleted (#9038, fixes #9035)
• Fixed Stripe subscription error handling and resilience (#9030)
• Fixed Heyform template configuration (#8747)
• Fixed API resource UUID extraction from route parameters
• Fixed Docker cleanup stale container warning on cloud instances
• Fixed Compose file-not-found error now includes git branch info

New Services & Templates

• Added LibreSpeed service for self-hosted speed testing (#8626)
• Added imgcompress service for offline image processing (#8763)
• Updated Databasus to v3.16.2 (#8586)
• Updated n8n with Postgres and Worker to v2.10.4 (#8807)
• Updated SeaweedFS images to v4.13 (#8738)
• Fixed Castopod service port from 8000 to 8080 (#8817)

Improvements

• Added per-volume control of PR suffix in preview deployments (#9006, fixes #7802, fixes #7343)
• Added auto-population of FQDN from docker_compose_domains for compose previews (#8963, fixes #8958)
• Added force deletion option for servers with existing resources (#8962)
• Added auto-fetch of server metadata after validation (#8964)
• Added container label escape control to services API (#8955, fixes #8954)
• Added database environment variable management API endpoints
• Added storage management API endpoints for applications and backup schedules
• Added support for comments in bulk environment variable API endpoints
• Added placeholder hints for magic environment variables
• Added next billing date and billing interval display for subscriptions
• Added cache-based deduplication for delayed cron execution
• Simplified environment variable settings by removing buildtime/runtime options

What's Changed (Github)

• fix(git): GitHub App webhook endpoint defaults to IPv4 instead of the instance domain by @ShadowArcanist in #8948
• feat(service): update n8n-with-postgres-and-worker to 2.10.4 by @michachan in #8807
• Change Castopod service port from 8000 to 8080 by @SeriousM in #8817
• fix(service): hoppscotch fails to start due to db unhealthy by @ShadowArcanist in #8949
• fix(api): allow is_container_label_escape_enabled in service operations by @andrasbacsai in #8955
• fix(docker-compose): respect preserveRepository when injecting --project-directory by @andrasbacsai in #8956
• feat(server): allow force deletion of servers with resources by @andrasbacsai in #8962
• feat(compose-preview): populate fqdn from docker_compose_domains by @andrasbacsai in #8963
• feat(server): auto-fetch server metadata after validation by @andrasbacsai in #8964
• feat(templates): Add imgcompress service, for offline image processing by @ariqpradipa in #8763
• fix(template): fix heyform template by @iMuFeng in #8747
• chore(service): Update SeaweedFS images to version 4.13 by @FabioHAraujo in #8738
• feat(service): Add librespeed by @diogo24m in #8626
• feat(service): update databasus to v3.16.2 by @Luzefiru in #8586
• fix(preview): enable per-volume control of PR suffix in preview deployments by @andrasbacsai in #9006
• fix: prevent sporadic SSH permission denied on key rotation by @pannous in #8990
• fix(stripe): add error handling and resilience to subscription operations by @andrasbacsai in #9030
• fix(backup): throw explicit error when S3 storage missing or deleted by @andrasbacsai in #9038
• perf(breadcrumb): optimize queries and simplify navigation to fix OOM by @andrasbacsai in #9048
• fix(deployment): disable build server during restart operations by @andrasbacsai in #9045
• v4.0.0-beta.469 by @andrasbacsai in #9007

New Contributors

• @michachan made their first contribution in #8807
• @SeriousM made their first contribution in #8817
• @FabioHAraujo made their first contribution in #8738
• @pannous made their first contribution in #8990

Full Changelog: v4.0.0-beta.468...v4.0.0-beta.469

What's Changed

Security & Fixes

• Fixed SSH connection retry failures during deployments (#8927, fixes #8926)
• Fixed deployment type selection when using GitHub/GitLab Apps (#8934, fixes #8917)
• Fixed deployment authorization endpoint returning incorrect 404 errors (#8931, fixes #8925)
• Fixed shared variables not resolving in Docker Compose environments (#8930, fixes #8918)
• Fixed SSH keys not being used for git submodule and LFS operations (#8933, fixes #8895)
• Added support for scoped npm packages in file path validation (#8928, fixes #8924)

Improvements

• Added log filtering capability based on log level in deployment logs (#8784)

What's Changed (Github)

• fix(ssh): remove undefined trackSshRetryEvent() method call by @andrasbacsai in #8927
• fix(validation): support scoped packages in file path validation by @andrasbacsai in #8928
• fix(parsers): resolve shared variables in compose environment by @andrasbacsai in #8930
• fix(api): cast teamId to int in deployment authorization check by @andrasbacsai in #8931
• fix(git-import): ensure ssh key is used for fetch, submodule, and lfs operations by @andrasbacsai in #8933
• feat(ui): add log filter based on log level by @ShadowArcanist in #8784
• fix(application): clarify deployment type precedence logic by @andrasbacsai in #8934
• v4.0.0-beta.468 by @andrasbacsai in #8929

Full Changelog: v4.0.0-beta.467...v4.0.0-beta.468

What's Changed

Security & Fixes

• Fixed command injection vulnerability in health check commands (#8898)
• Added path validation to prevent command injection in file locations
• Fixed environment variables being overwritten when changing service domains (#8915, fixes #8912)
• Fixed Nixpacks deployment failures when application has no domain set (#8902, fixes #6830)
• Fixed resource deletion failing silently in the danger zone (#8909, fixes #8836)
• Fixed scheduled task input fields losing focus while editing (#8654, fixes #8647)
• Added docker_cleanup parameter to API stop endpoints (#8899, fixes #7758)

Improvements

• Added GitLab source integration with SSH deploy keys and HTTP basic auth (#8910, fixes #5295)
• Added database-backed proxy config storage with automatic recovery and versioned backups (#8905, fixes #7178)
• Added server metadata collection and display

What's Changed

• fix(security): sanitize newlines in health check commands to prevent RCE by @andrasbacsai in #8898
• fix: prevent scheduled task input fields from losing focus by @sharkcreep87 in #8654
• fix(api): add docker_cleanup parameter to stop endpoints by @andrasbacsai in #8899
• fix(deployment): filter null and empty environment variables from nixpacks plan by @andrasbacsai in #8902
• feat(proxy): add database-backed config storage with disk backups by @andrasbacsai in #8905
• fix(livewire): add error handling and selectedActions to delete methods by @andrasbacsai in #8909
• feat(git-sources): add GitLab integration and URL encode credentials by @andrasbacsai in #8910
• fix(parsers): use firstOrCreate instead of updateOrCreate for environment variables by @andrasbacsai in #8915
• v4.0.0-beta.467 by @andrasbacsai in #8911

New Contributors

• @sharkcreep87 made their first contribution in #8654

Full Changelog: v4.0.0-beta.466...v4.0.0-beta.467

What's Changed

Security & Fixes

• Prevent command injection via base64-encoding log drain environment variables
• Prevent command injection via git reference validation
• Add sentinel token validation to prevent command injection
• Require write permission for API validation endpoints
• Prevent false container exits on failed docker queries (#8860)
• Track last_online_at and reset database restart state
• Preserve user-saved environment variables on Docker Compose redeploy (#8894)
• Fix build-time environment variables breaking Next.js (#8890)
• Prevent command injection in developer view shared variables (#8889)
• Make confirmation modal close after dispatching Livewire actions (#8892)
• Respect keep for rollback setting for Nixpacks build images (#8859)

Dependencies

• Bump rollup from 4.57.1 to 4.59.0 (#8691)
• Bump league/commonmark from 2.8.0 to 2.8.1 (#8793)

What's Changed

• fix(docker-cleanup): respect keep for rollback setting for Nixpacks build images by @andrasbacsai in #8859
• fix(docker): prevent false container exits on failed docker queries by @andrasbacsai in #8860
• build(deps): bump rollup from 4.57.1 to 4.59.0 by @dependabot[bot] in #8691
• build(deps): bump league/commonmark from 2.8.0 to 2.8.1 by @dependabot[bot] in #8793
• fix: prevent command injection and fix developer view shared variables error by @andrasbacsai in #8889
• fix: Build-time environment variables break Next.js by @andrasbacsai in #8890
• fix(modal): make confirmation modal close after dispatching Livewire actions by @andrasbacsai in #8892
• fix(parser): preserve user-saved env vars on Docker Compose redeploy by @andrasbacsai in #8894
• v4.0.0-beta.466 by @andrasbacsai in #8893

Full Changelog: v4.0.0-beta.465...v4.0.0-beta.466

What's Changed

Security & Fixes

• Fixed WebSocket connection and host authorization issues in terminal (#8862, fixes #8856)
• Fixed environment variable parser capturing trailing braces in bash-style defaults (#8855, fixes #8851)
• Fixed confirmation modal staying open after database import/restore (#8697, fixes #8689)
• Fixed nginx.conf mounting error in development mode (#8662)
• Fixed docker-compose deployment with custom start commands and preserveRepository setting (#8848, fixes #8417)
• Fixed preview deployment page visibility for deploy key applications (#8579)

Improvements

• Added configurable timeout for public database TCP proxy connections (#8673, fixes #7743)

What's Changed

• fix: enable preview deployment page for deploy key applications by @mauritsderuiter95 in #8579
• fix(docker-compose): respect preserveRepository setting when executing start command by @andrasbacsai in #8848
• fix(proxy): mounting error for nginx.conf in dev by @Cinzya in #8662
• feat: add configurable proxy timeout for public database TCP proxy by @brendanlim in #8673
• fix(database): close confirmation modal after database import/restore by @devrim-1283 in #8697
• fix(env-parser): capture clean variable names without trailing braces in bash-style defaults by @andrasbacsai in #8855
• fix(terminal): resolve WebSocket connection and host authorization issues by @andrasbacsai in #8862
• v4.0.0-beta.465 by @andrasbacsai in #8853

New Contributors

• @mauritsderuiter95 made their first contribution in #8579
• @brendanlim made their first contribution in #8673
• @devrim-1283 made their first contribution in #8697

Full Changelog: v4.0.0-beta.464...v4.0.0-beta.465

What's Changed

Security & Fixes

• Fixed SSH command injection vulnerability (#8748)
• Resolved 419 session errors with Cloudflare Tunnels and domain-based access (#8749, fixes #5404)
• Fixed SSH directory permission issues during upgrades (#8635, resolves #6621)
• Added SSH directory permission auto-fix for new installations (#8635)
• Prevented command injection in certificate handling via base64 encoding (#8617)
• Hardened Docker command execution with centralized escaping (#8615)
• Prevented command injection in health check commands (#8611)
• Fixed cross-tenant IDOR vulnerability in resource cloning (#8613)
• Added IPv6 CIDR support for API access IP allowlist (#8750, fixes #8729)
• Fixed proxy initialization with IPv6 networks on Docker 25+ (#8703, fixes #8649)
• Fixed CSRF redirect loop during 2FA authentication (#8596)
• Corrected API permission requirements for POST endpoints (#8600)
• Added team authorization checks to domains_by_server API (#8616)
• Fixed Cloudreve service data persistence across restarts (#8740)
• Fixed Ente Photos join link configuration (#8727)
• Fixed application rollback to use correct commit SHA (#8576)
• Fixed deployment detection for BuildKit and secrets (#8565)
• Resolved team lookup for service relationships (#8559, fix #8431)
• Added webhook notification status validation (#8557, fix #8448)
• Fixed deploy key handling when private_key_id is zero (#8563, fixes #8562)
• Fixed Redis/KeyDB config permissions with custom configurations (#8561, fix #8539)
• Fixed password field UI flash before Alpine.js initialization (#8599, closes #8592)
• Fixed GlitchTip webdashboard loading issue (#8249)
• Fixed Grist service template configuration (#8384)
• Fixed API documentation schema references (#8239, closes #8229)

New Services & Templates

• Added Pydio Cells service (#8323)
• Added Sure service (#8157)
• Added Spacebot service with custom logo support (#8427)
• Updated N8N templates to 2.10.2 (#8679)
• Upgraded Beszel and Beszel Agent to v0.18 (#8513)
• Disabled Plane service in template suite (#8580)
• Disabled Pterodactyl Panel and Wings from service templates (#8512)
• Disabled Minio Community Edition from service templates (#8686)
• Disabled Maybe service in template suite (#8167)

Features & Improvements

• Added refund and cancellation management for subscriptions (#8637)
• Added comment field support to environment variables (#7269, fix #7239)
• Added command-based health check support for services (#8612)
• Added scheduled job monitoring dashboard (#8433)
• Added scheduled tasks CRUD API with authentication and validation (#8428)
• Made Horizon max time configurable (#8560, fix #8435)
• Fixed Soketi host binding for IPv6 support (#8619, closes #8584)
• Fixed scheduler self-healing for stale Redis locks with UI detection (#8618, fixes #8327)
• Fixed Traefik service label handling for force HTTPS (#8550)
• Improved security by hardening deployment paths and deploy abilities (#8549)
• Fixed queue timeout handling in Horizon gracefully (#8360)
• Fixed missing status variable in Hetzner status checks (#8359)
• Fixed container filtering in push server job (#8361)
• Improved proxy error handling on port allocation failure (#8362)
• Enhanced SSH error tracking with proper Sentry scoping (#8363)

UI & Developer Experience

• Added container labels header to UI (#8752)
• Improved project heading navigation spacing (#8564)
• Fixed datalist border color and added repository selection watcher (#8240)
• Fixed Docker Compose force HTTPS preference behavior (#8424)
• Migrated test suite to SQLite in-memory with Pest browser testing (#8364)