Patch 1
Bugfix
Lime CRM
- Improved reliability of OneDrive / Microsoft Graph file storage: request timeouts are now configurable, transient Graph errors are retried with backoff, and redirect handling during file download has been corrected.
- Warnings are now captured in the application log.
Installer
- Bundled installer executables (
certtool.exe, BootstrapperUI.exe) are now code-signed, so they are no longer blocked by antivirus, EDR, or SmartScreen during installation.
Security & stability
- Bundled third-party components have been updated to their latest versions for improved security and stability: Elasticsearch, nginx, Erlang/OTP, Redis, and EmailEngine.
Security fixes (CVEs) in updated components
Elastic Search (8.19.13 → 8.19.16)
No security advisories (CVEs) apply to the Elasticsearch component in this range — the updates contained only bug fixes and routine dependency upgrades.
Nginx (1.29.3 → 1.31.1)
| CVE |
Fixed In |
Severity |
Description |
| CVE-2025-23419 |
1.29.4 |
Medium (4.3) |
TLSv1.3 SNI session reuse across virtual servers can bypass client SSL certificate verification |
| CVE-2026-1642 |
1.29.5 |
Medium (5.9) |
Plaintext data injection into the response from an SSL backend (upstream injection) |
| CVE-2026-27654 |
1.29.7 |
Medium |
Buffer overflow in ngx_http_dav_module on COPY/MOVE with the alias directive |
| CVE-2026-27784 |
1.29.7 |
Medium |
Buffer overflow / crash in ngx_http_mp4_module on 32-bit platforms |
| CVE-2026-32647 |
1.29.7 |
Medium |
Buffer overflow / crash in ngx_http_mp4_module on a crafted MP4 file |
| CVE-2026-27651 |
1.29.7 |
Low |
NULL pointer dereference (segfault) with CRAM-MD5 / APOP authentication |
| CVE-2026-28753 |
1.29.7 |
Medium |
PTR DNS record injection into auth_http and XCLIENT commands |
| CVE-2026-28755 |
1.29.7 |
Medium |
Stream SSL handshake succeeds despite OCSP client-certificate rejection (bypass) |
| CVE-2026-42926 |
1.31.0 |
Medium (5.8) |
HTTP/2 backend request/data injection via proxy_set_body in ngx_http_proxy_module |
| CVE-2026-42945 |
1.31.0 |
High (8.1) |
Heap buffer overflow in ngx_http_rewrite_module ("NGINX Rift"), potential RCE — exploited in the wild |
| CVE-2026-42946 |
1.31.0 |
High |
Heap buffer overread in SCGI/uWSGI modules causing oversized allocation / worker crash |
| CVE-2026-42934 |
1.31.0 |
Medium |
Heap buffer overread in ngx_http_charset_module (UTF-8 off-by-one across proxy buffers) |
| CVE-2026-40460 |
1.31.0 |
Medium (6.5) |
QUIC / HTTP/3 connection-migration address spoofing |
| CVE-2026-40701 |
1.31.0 |
Medium |
Use-after-free in resolver / ssl_ocsp DNS response processing |
| CVE-2026-9256 |
1.31.1 |
High (8.1) |
Heap buffer overflow in ngx_http_rewrite_module ("nginx-poolslip"), potential RCE — exploited in the wild |
Erlang OTP (26.2.5.18 → 26.2.5.21)
| CVE |
Fixed In |
Severity |
Description |
| CVE-2026-28808 |
26.2.5.19 |
High (8.3) |
inets/httpd: script_alias CGI mappings bypass directory-based access controls (auth bypass) |
| CVE-2026-28810 |
26.2.5.19 |
Medium (6.3) |
Built-in DNS resolver uses predictable transaction IDs with no source-port randomization, enabling cache poisoning |
| CVE-2026-32147 |
26.2.5.20 |
Medium (5.3) |
SFTP daemon stores raw user paths in file handles, allowing attribute modification outside the chroot |
| CVE-2026-42789 |
26.2.5.21 |
High (7.0) |
public_key: path-validation flaw accepts a non-CA certificate as an intermediate issuer (chain forgery) |
| CVE-2026-42790 |
26.2.5.21 |
High (7.6) |
public_key: legacy CommonName fallback can bypass domain validation in TLS hostname verification |
Redis (8.2.2 → 8.8.0)
| CVE |
Fixed In |
Severity |
Description |
| CVE-2025-62507 |
8.2.3 |
High (7.7) |
Stack buffer overflow in XACKDEL with many stream IDs, potential RCE |
| CVE-2026-23479 |
8.2.6 |
High (7.7) |
Use-after-free in the unblock-client flow, potential RCE |
| CVE-2026-25243 |
8.2.6 |
High (7.7) |
Invalid memory access in RESTORE via a crafted serialized payload, potential RCE |
| CVE-2026-25588 |
8.2.6 |
High (7.7) |
Invalid memory access in RESTORE for the RedisTimeSeries module, potential RCE |
| CVE-2026-25589 |
8.2.6 |
High (7.7) |
Invalid memory access in RESTORE for the RedisBloom module, potential RCE |
| CVE-2026-23631 |
8.2.6 |
Medium (6.1) |
Lua use-after-free via the master-replica synchronization mechanism, potential RCE |
EmailEngine (2.58.1 → 2.67.1)
No CVEs were assigned to EmailEngine in this range. The releases included security hardening (bounce-parsing ReDoS protection, OAuth and passkey/authentication hardening, an open-redirect fix) and an update to Handlebars 4.7.9 that resolves a prototype-pollution vulnerability in that dependency.
New versions
- lime-crm 2.1189.6 -> 2.1189.9
- lime-core 25.358.7 -> 25.358.11
- LDC 12.9.3161 -> 12.9.3462
- Elasticsearch 8.19.13 -> 8.19.16
- nginx 1.29.3.1 -> 1.31.1.1
- Erlang/OTP 26.2.5.18 -> 26.2.5.21
- Redis 8.2.2 -> 8.8.0
- EmailEngine 2.58.1 -> 2.67.1