This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
• (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

• [98fbc89211] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [110840f2c7] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [8d36d522b2] - deps: update undici to 8.5.0 (Node.js GitHub Bot) #63903
• [2e6d03993a] - deps: update undici to 8.4.0 (Node.js GitHub Bot) #63779
• [5a17d5b07a] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [362725d4e5] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [bd1214ab01] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [bc0b53813e] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [87d847bc70] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9308084fcb] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [a67dd46891] - (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) nodejs-private/node-private#885
• [7057c3f16c] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [6bc17a6b51] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [c8668beff8] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [d1be630415] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [a14c158bb3] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [ebda73470d] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

This is a security release.

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

• [38b4c5ed51] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [ad8a10c1bb] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [ca825a87cc] - deps: update undici to 6.27.0 (aduh95) #63711
• [a1a5bb9683] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
• [0f48583512] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #62891
• [38c869fc05] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #61136
• [290667c84f] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790
• [c9f3da76aa] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #58786
• [60890be563] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #57269
• [5024c7d5d8] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #63820
• [7f4eb5af2e] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820
• [ebb4ec78a8] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #62656
• [5763d40826] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
• [c551a51d0c] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [0a22d40180] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [c79968e108] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [0c37bff2ff] - http2: fix DEP0194 message (KaKa) #58669
• [ea5dc6b529] - (SEMVER-MAJOR) http2: remove support for priority signaling (Matteo Collina) #58293
• [9b6af26132] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [28dcd38864] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [2f62693801] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [1662a3ea09] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [718d5d0e2c] - test: skip test-fs-utimes-y2K38 on armv7 (Richard Lau) #63836
• [041185b61f] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238
• [fd890ba01d] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [39d1d09684] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [2197a47144] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

Apache Superset is a modern, enterprise-ready business intelligence web application

nginx-1.30.3 stable version has been released, with fixes for buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142).

See official CHANGES-1.30 on nginx.org.

Below is a release summary generated by GitHub.

• Nginx 1.30.3 with security fixes by @arut in https://github.com/nginx/nginx/pull/1475

Full Changelog: https://github.com/nginx/nginx/compare/release-1.30.2...release-1.30.3

nginx-1.31.2 mainline version has been released, with fixes for use-after-free vulnerability in the ngx_http_v3_module (CVE-2026-42530), buffer overflow vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module (CVE-2026-42055), and buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-48142).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

• Use SipHash to speed up $request_id generation by @jimf5 in https://github.com/nginx/nginx/pull/1392
• SSL: add $ssl_sigalgs variable by @VadimZhestikov in https://github.com/nginx/nginx/pull/1361
• Xslt: fixed handle vsnprintf return value by @afonot in https://github.com/nginx/nginx/pull/747
• GH: remove the set-creation-date.yaml workflow by @ac000 in https://github.com/nginx/nginx/pull/1435
• Split clients: improved calculation of range boundaries by @pluknet in https://github.com/nginx/nginx/pull/1334
• Style by @pluknet in https://github.com/nginx/nginx/pull/1440
• GH: Fix the whitespace checker workflow by @ac000 in https://github.com/nginx/nginx/pull/1453
• Secure link: Compare hashes in constant time by @sbhowmikf5 in https://github.com/nginx/nginx/pull/1433
• Access log: Fix "request_length" format length by @nitin9977 in https://github.com/nginx/nginx/pull/1432
• Updated OpenSSL used for win32 builds by @pluknet in https://github.com/nginx/nginx/pull/1469
• Nginx 1.31.2 with security fixes (HTTP/2 proxy, grpc, HTTP/3, charset) by @arut in https://github.com/nginx/nginx/pull/1474

• @afonot made their first contribution in https://github.com/nginx/nginx/pull/747
• @sbhowmikf5 made their first contribution in https://github.com/nginx/nginx/pull/1433
• @nitin9977 made their first contribution in https://github.com/nginx/nginx/pull/1432

Full Changelog: https://github.com/nginx/nginx/compare/release-1.31.1...release-1.31.2

See the release notes at https://prestodb.io/docs/current/release/release-0.298.1.html

This release fixes multiple security issues.

• [SECURITY] STACKIT SD: Fix secrets being exposed in plaintext via /-/config endpoint. Thanks to @August829 and @Phaxma for reporting. GHSA-39j6-789q-qxvh #18650
• [SECURITY] Dependencies: Bump golang.org/x/net to v0.55.0 and OpenTelemetry to v1.43.0 to fix reported CVEs (GO-2026-5026, GO-2026-4918, GO-2026-4985). #18934
• [SECURITY] UI: Bump mantine-ui dependencies (react-router-dom, vitest, vite, postcss) to their patched versions to resolve security advisories. #18935
• [ENHANCEMENT] Release: Container images are now also published to the GitHub Container Registry (ghcr.io). #18792

The following are some highlighted updates with the newest release for InfluxDB 3 Core and Enterprise. Learn more via our full Release Notes.

Catalog v3: The on-disk catalog automatically migrates to a compact binary format (~5–6x smaller than v2) on first startup. Migration is automatic, idempotent, and crash-safe. Back up {prefix}/catalogs/ and {prefix}/_catalog_checkpoint before upgrading; the migration is one-way and 3.9.x binaries cannot read a v3 catalog.

Processing engine supports cross-database queries: Plugins can now read from any database using the database= keyword argument on influxdb3_local.query().

Processing engine now has trigger lockdown: New serve flags restrict plugin behavior; --restrict-plugin-triggers-to limits triggers to wal, schedule, or request, and --plugin-dir-only

GET /ready endpoint: Returns 200 OK when the server can reach object storage, 503 when it cannot; ideal for load balancer and orchestration readiness probes.

Always-on heap profiling: Enabled at startup with negligible overhead (~<1% CPU), accessible at the existing pprof endpoint. Disable with MALLOC_CONF=prof:false.

influxdb3 debug catalog: Inspect catalog state offline directly from object storage; no running server required.

All Core updates are included in Enterprise. The following are exclusive to Enterprise. Many of these require the new performance update preview (in beta); if using these features, they should not be included in production environments yet.

Row-level deletion: Delete rows by time range and tag predicates with influxdb3 delete rows. Deletion is asynchronous and applied by the compactor. Monitor with the system.row_deletes table. Requires --use-pacha-tree.

Backup and restore: Full backup and restore management via new influxdb3 create/status/show/delete/cancel backup and restore commands, plus matching /api/v3/enterprise/backup and /restore endpoints. Requires --use-pacha-tree and a compactor node with an admin token.

Bulk import: Import generic (non-IOx) Parquet files with influxdb3 import upload, mapping columns to InfluxDB types via --column flags. Track jobs with influxdb3 import list.

User auth and RBAC (preview): Multi-user authentication with username/password → JWTs, optional OAuth/OIDC, and three built-in roles (Admin, Auditor, Member). Off by default (--without-user-auth true).

Object-store license portability: Licenses are no longer bound to object-store config (type, bucket, endpoint, region) — validation enforces only signature, expiry, and licensed core count. You can move buckets or stores with the same license.

Observability: 36 new influxdb3_compactor_* Prometheus metrics, with influxdb3_compactor_snapshot_lag_seconds as the primary health signal.

• Catalog v3 migration is one-way: Back up your catalog before upgrading (see above).
• --pt-partition-count renamed to --pt-shard-count; there's no alias, so update startup scripts.
• /api/v2/write returns 403 (was 401) for valid tokens lacking write permission; line-protocol parse errors now return 400 (was 500).

• Compaction stability improvements (ingest-time, deadlock/write-amplification, gen1 orphaning, and upgrade-blocking fixes), plus several other bug fixes and performance improvements.

• Many other bug fixes and performance improvements

Full Changelog: https://github.com/influxdata/influxdb/compare/v3.9.3...v3.10.0

This is a maintenance release for Redis Search 2.10. Update urgency: LOW: No need to upgrade unless there are new features you want to use.

Bug Fixes

• #9938 Server can crash in fork GC when the last document with an empty TAG value is deleted from an INDEXEMPTY WITHSUFFIXTRIE field. (MOD-15996) • #10104 FT.SEARCH and FT.AGGREGATE return Unknown argument errors on 2.10 shards during rolling upgrades when a newer coordinator injects internal query arguments. (MOD-16047) • #9578 Server can crash when FT.CREATE is called with an extremely large number of arguments or fields. (MOD-6411) • #9810 FT.SYNUPDATE leaves the synonym map partially mutated when an update batch exceeds synonym or group-ID limits. (MOD-15402) • #9533 FT.INFO num_records grows without bound for indexes with vector fields because vector records were counted on insert but never decremented. (MOD-15487)