You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fixed unauthenticated IDOR on GET /activitypub/trail/{id} and GET /activitypub/comment/{id} — private records are now access-checked before being returned. (GHSA-9qg7-jr2x-prvh, reported by @de3erve-hunter)
Fixed stored XSS via waypoint.icon in map markers — the icon value is now validated against an allowlist before being passed to insertAdjacentHTML. (GHSA-hx3v-rv4v-w875, reported by @de3erve-hunter)
Fixed stored XSS via waypoint.name and waypoint.icon in the elevation profile — replaced unsafe innerHTML assignment with safe DOM construction. (GHSA-m7v2-6gj3-3g2p, reported by @de3erve-hunter)