4.9.6 (2026-06-22)
Bug Fixes
- account takeover via email-based account linking (b75f13d)
- harden oidc state validation and session rotation (#1071) (b75f13d)
- missing fields when cloning a subscription (b75f13d)
- ssrf via oidc token/userInfo url configuration (b75f13d)
- ssrf via test email notification (b75f13d)
- zip slip path traversal in database restore writes files to webroot (b75f13d)