Valentin Lobstein 121511523f Fix: CVE-2026-39912 - Magic link token leak in loginWithMailLink (#873) ...

The loginWithMailLink endpoint returns the magic login link in the
HTTP response body, allowing unauthenticated account takeover.

The fix returns true instead of the link. The email delivery is
the authentication factor.

Bug inherited from V2Board commit bdb10bed (2022-06-27).

2026-04-10 02:44:20 +08:00

..

Console

feat: implement email case-insensitive queries (fix #318)

2026-03-28 07:09:21 +08:00

Contracts

feat: add AnyTLS support and improve system functionality

2025-05-22 17:58:22 +08:00

Exceptions

fix: resolve PHPStan static analysis warnings

2025-05-07 19:48:19 +08:00

Helpers

fix(runtime): force app_url/force_https per-request via middlewar

2026-03-19 04:22:17 +08:00

Http

Revert "feat: Track user traffic per node (server_id)"

2026-03-30 18:17:27 +08:00

Jobs

Revert "feat: Track user traffic per node (server_id)"

2026-03-30 18:17:27 +08:00

Models

Revert "feat: Track user traffic per node (server_id)"

2026-03-30 18:17:27 +08:00

Observers

feat: introduce WebSocket sync for XBoard nodes

2026-03-15 09:49:11 +08:00

Protocols

Loon和Surfboard适配anytls (#854)

2026-04-02 15:47:41 +08:00

Providers

fix(runtime): force app_url/force_https per-request via middlewar

2026-03-19 04:22:17 +08:00

Scope

Initial commit

2023-11-17 14:44:01 +08:00

Services

Fix: CVE-2026-39912 - Magic link token leak in loginWithMailLink (#873)

2026-04-10 02:44:20 +08:00

Support

feat: Trojan Reality support and protocol distribution optimizations

2026-03-23 14:56:41 +08:00

Traits

fix: read plugin enabled from DB for consistency

2026-01-02 18:30:21 +08:00

Utils

Merge pull request #786 from lithromantic/master

2026-03-30 13:05:39 +08:00

WebSocket

fix: use ServerService::getServer() for node lookup in WebSocket

2026-03-26 03:51:58 +08:00