X-Git-Url: https://git.p6c8.net/jirafeau/jirafeau.git/blobdiff_plain/eae7f48e501c8709a049d291069bc37150ecc1a1..refs/merge-requests/27/head:/CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c3e5aba..d06a0bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,12 @@
 
 - ...
 
+## Version 4.6.3
+
+- Fixed the possibility to bypass the checks for [CVE-2022-30110](https://www.cve.org/CVERecord?id=CVE-2022-30110) and [CVE-2024-12326](https://www.cve.org/CVERecord?id=CVE-2024-12326) (prevent preview of SVG images and other critical files) by sending a manipulated HTTP request with a MIME type like "image/png,text/html". When doing the preview, the MIME type "text/html" takes precedence and you can execute for example JavaScript code. This issue has subsequently been reported as [CVE-2025-7066](https://www.cve.org/CVERecord?id=CVE-2025-7066).
+- Compare password hashes using `hash_equals()`
+- Upgrade from 4.6.2: in-place upgrade
+
 ## Version 4.6.2
 
 - Allow to configure the language and the availabilities for files for a Docker container (issue [#20](https://gitlab.com/jirafeau/Jirafeau/-/issues/20))