Changelog¶
Dropped support¶
Starting with 2026.1, the following platforms are no longer supported:
- SQL Server 2017 — please upgrade to SQL Server 2019 or later.
- Windows Server 2016 — please upgrade to Windows Server 2019 or later.
Both products have reached end of life from Microsoft.
Python 3.11.15¶
Lime CRM now ships with its own build of Python 3.11.15 that can be downloaded and installed on the server. See the installation guide for more information.
Included services and frameworks¶
Below is a list as originally shipped with 2026.1:
- Elastic Search - 8.19.13
- EmailEngine - 2.58.1 (opt-out)
- Erlang OTP - 26.2.5.18
- LDC - 12.9.3161
- Microsoft ODBC Driver 18 for SQL Server (MSODBCSQL18) - 18.6.1.1
- Microsoft OLE DB Driver 19 for SQL Server - 19.4.1
- Microsoft Visual C++ 2015 x64 Redistributable (VC Redist) - 14.50.35719
- Microsoft Visual C++ 2015 x86 Redistributable (VC Redist) - 14.50.35719
- Nginx for Windows - 1.29.3.1 SnowDrop
- NSSM - 2.21-134
- RabbitMQ Server - 3.13.7
- Redis - 8.2.2
- WinSW - 2.12.0
Security fixes (CVEs) in updated components¶
Elastic Search (8.19.5 → 8.19.13)¶
| CVE | Fixed In | Severity | Description |
|---|---|---|---|
| CVE-2025-37731 | 8.19.8 | Medium (6.8) | PKI realm authentication bypass / user impersonation |
| CVE-2025-68390 | 8.19.8 | Medium (4.9) | DoS via snapshot restore memory exhaustion |
| CVE-2025-32434 | 8.19.8 | High (7.2) | PyTorch deserialization leading to RCE in ML model loading |
| CVE-2025-68384 | 8.19.9 | Medium (6.5) | DoS via oversized user settings |
| CVE-2025-66566 | 8.19.10 | High (8.4) | LZ4 library information disclosure via transport layer |
Erlang OTP (26.2.5.15 → 26.2.5.18)¶
* Already addressed in 2025.3 Patch 3 (Erlang OTP 26.2.5.17)
| CVE | Fixed In | Severity | Description |
|---|---|---|---|
| CVE-2025-48038* | 26.2.5.15 | - | SFTP oversized file handle rejection |
| CVE-2025-48039* | 26.2.5.15 | - | SFTP max path length enforcement |
| CVE-2025-48040* | 26.2.5.15 | - | SSH KEX algorithm list overflow |
| CVE-2025-48041* | 26.2.5.15 | - | SFTP file handle exhaustion |
| CVE-2016-1000107* | 26.2.5.15 | - | httpoxy vulnerability in inets httpd |
| CVE-2026-21620* | 26.2.5.17 | Low (2.3) | TFTP path traversal |
| CVE-2026-23941 | 26.2.5.18 | High (7.0) | HTTP request smuggling in inets httpd |
| CVE-2026-23942 | 26.2.5.18 | Medium (5.3) | SFTP root escape via prefix matching |
| CVE-2026-23943 | 26.2.5.18 | Medium (6.9) | SSH DoS via unbounded zlib inflate |
Nginx (1.29.1.1 → 1.29.3.1)¶
| CVE | Fixed In | Severity | Description |
|---|---|---|---|
| CVE-2025-53859 | 1.29.1 | Low | Buffer overread in ngx_mail_smtp_module — memory disclosure to auth server |
Microsoft Visual C++ Redistributable (14.40.33810.0 → 14.50.35719)¶
| CVE | Severity | Description |
|---|---|---|
| CVE-2024-43590 | High (7.8) | Installer elevation of privilege — local attacker could gain SYSTEM privileges |