• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2026-03-08)

⚠️ ATTN: this release fixes a vulnerability

GHSA-m6hv-x64c-27mm the nohtml volflag did not prevent javascript inside SVG images from executing -- a malicious user with write-access could upload an SVG file which would execute as javascript when someone opens it 1c9f894

recent important news

• v1.20.9 (2025-02-25) fixed CVE-2026-27948 (XSS)

🧪 new features

• version-checker (thx @icxes!) c6965f0
  • default-disabled; you must choose a URL to grab security advisories from to enable it
  • periodically checks the security advisories and shows a warning in the controlpanel if you're running a vulnerable version
  • can optionally panic and shutdown the server if you prefer that
  • man, the timing on this though... absolute cinema

🩹 bugfixes

• fix nohtml not being aware that SVG images can execute javascript 1c9f894
  • a new volflag noscript was also added; nohtml will automatically enable noscript, but noscript can also be useful on its own; see readme
• various upload rules fixes:
  • #1335 rotf couldn't handle trailing slash (thx @NecRaul!) 8e20506
  • #1337 rotn didn't always count correctly (thx @NecRaul!) 23d4a62
  • rotn didn't apply to dupes 00e821d
• combining rp-loc and site was a bit jank (thx @new-sashok724!) 31b2384
• global-option idp-store: 2 would result in excessive config reloading 1272de9
• fix fd-leak when indexing certain compressed files, including epub books 8b5ac23
• forget-ip: fix sqlite cursor-locking 37123e3

🔧 other changes

• #1316 Chinese translation got a huge makeover (thx @satgo1546 and @lxdlam!) b015274
• #1324 better rclone advice on the connect-page 8941701
• static website resources, previously served from /.cpr/ have moved to /.cpr/w/ for easier configuration of allowlists in reverseproxies and authentication middlewares 753ff54

🌠 fun facts

• according to the SVG spec, images being able to execute javascript is a feature and intentional behavior... what a concept!

⚠️ not the latest version!

Part-DB 2.9.0

New feautures

• Sidebar trees keep track of page navigations. If you open a certain category, the treenode will be hightlighted
• Show a "Show password" toggle on all password inputs, including login form
• Made form fields wider on large monitors, to remove useless whitespace
• Reset opcache after update manager update (thanks @Sebbeben, PR #1288)
• Allow to create manual backups and download them from the WebUI (thanks @Sebbeben, PR #1255)
• Added user_barcode_filter to API (thanks @MayNiklas, PR #1280)
• Show manufacturing status in project BOM table (thanks @mkne, #1289)
• Create a part lot with quantity, user barcode and order number based on digikey, lcsc or mouser barcode, to reduce amount of manual input

Bug fixes

• Do not scroll sidebar to top, when clicking a tree node
• Fixed description field on KiCAD 9.0.5 and 9.0.6 (#1289)
• Generate correct url for part lots barcode content label placeholders (#1268)
• Correctly import files, where only children elements are specified and no parent field (#1272)
• Clear the input after selecting an option in tomselect (#1264)

Miscellaneous

• Updated dependencies

Full Changelog: v2.8.1...v2.9.0