This release includes a security-related update to address CVE-2026-33658 affecting file uploads via Active Storage. It also resolves compatibility issues with newer Redis connection pooling behavior, helping rate limiting and caching behave more reliably in production environments.

This release includes a targeted security update to address CVE-2026-33306 related to password hashing. It helps reduce the risk of exposure from the underlying vulnerability, with no expected changes to your day-to-day workflow.

This release removes third-party tracking and feedback scripts from the app and error pages, reducing external requests and tightening the set of allowed connections. It also avoids reporting transient GitHub server errors as alerts, keeping issue reporting focused on problems that need attention.

This release includes targeted security fixes across key libraries to help protect your app from issues like directory traversal, stored XSS, and SSRF. It also removes an unused rich text editor dependency to reduce exposure to a low-severity XSS risk and keep the frontend bundle leaner.

Links inside embedded changelog views now open in a new browser tab instead of navigating within the embed panel. This prevents navigation errors when users click links in embedded content, and adds safer link handling with noopener and noreferrer.

You can now request access to the REST API from Settings (available on Pro and Team plans), use new API documentation, and work with new authenticated endpoints for reading your changelog data. This release also strengthens security around previews, webhooks, and project access, and prevents accidental overwrites when multiple people edit the same entry.