Sign in Subscribe
Catalog Updates

Elestio Catalog Updates: 21 Notable Releases This Week (May 24-31, 2026)

Michael Soto

4 min read
Share
Elestio Catalog Updates: 21 Notable Releases This Week (May 24-31, 2026)

Quieter week than last one for splashy releases, but a critical Ghost CMS CVE means a lot of self-hosters need to drop everything and patch. We also got Prometheus 3.12, Uptime Kuma 2.4, a Directus 12 release candidate, fresh stable lines from Authentik, N8N, and Mattermost, and routine Nextcloud and Mautic point releases. Here's the rundown.

Security Alerts

Patch first, read second.

  • Ghost CMS, CVE-2026-26980 (CVSS 9.4). Critical SQL injection in Ghost versions 3.24.0 through 6.19.0, actively exploited in the wild with 700+ confirmed compromises. If you are on any version 6.19.0 or older, upgrade to 6.19.1+ today. Anyone running this week's 6.43.1 line is already protected. (Hacker News advisory)
  • Gitea, CVE-2026-27771. Last week's container-registry exposure still applies. Upgrade to 1.26.2 if you have not.

Databases

  • Redis 8.8.0 (May 25). New stable on the 8.x line with continued vector set improvements and Redis Functions 2.0 hardening.

AI & GPU

  • Langflow 1.9.5 (May 29). Follow-up patch to 1.9.4, smoothing recent flow editor performance issues and a handful of component-store fixes.

Development

  • Authentik 2026.5.2 (May 28). Patch release across three supported lines (2026.5.2, 2026.2.4, 2025.12.6) addressing flow-engine edge cases and a stack-tracing fix in policy bindings.
  • N8N 2.23.1 (May 28). Latest stable on the 2.x line, joining 2.22.5 LTS on the same day. Continued focus on credential-handling cleanup.
  • Strapi v5.47.0 (May 28). Adds new admin panel improvements, content-type builder polish, and a fresh batch of bug fixes across the plugins SDK.
  • Directus v12.0.0-rc.1 (May 29). First release candidate of Directus 12. Major version with schema migration improvements and updated permission model. Test in staging, not production.
  • Hoppscotch 2026.5.0 (May 28). May feature release of the open-source API client. New collection-sharing improvements and continued WebSocket UI polish.
  • Meilisearch v1.45.1 (May 28). Patch on top of v1.45.0 (May 26). Index-rebuild speedups and a couple of geo-search fixes.

Hosting & Infrastructure

  • Prometheus v3.12.0 (May 28). Minor release on the 3.x line. Continued PromQL improvements, OTLP ingestion tuning, and TSDB compaction work.
  • Uptime Kuma 2.4.0 (May 31). Sunday drop. Continues the 2.x rebuild with new monitor types, theme refinements, and notification integrations.
  • Mailu 2024.06.52 (May 28). Maintenance release on the 2024.06 LTS line of the self-hosted email server suite.

Applications

  • Nextcloud 33.0.4 + 32.0.10 (May 28). Maintenance patches on both supported lines, plus the 34.0.0rc3 candidate for early testers.
  • Mattermost v11.7.2 (May 26). Latest stable, plus same-day patches to v11.6.4, v11.5.7, and the v10.11.19 ESR line.
  • Jellyfin v10.11.10 (May 24). Maintenance patch on the 10.11 line. Playback and metadata fixes.
  • Ghost v6.43.1 (May 29). Twice-weekly cadence continues with 6.41.1 (May 25), 6.42.0 (May 27), and 6.43.0/6.43.1 landing on May 29. Members and editor polish.
  • BookStack v26.05 (May 28). Monthly release. New shelf and page features, improved API endpoints, and the usual translation refresh.
  • Mautic 7.1.2 (May 28). Three-line drop: 7.1.2, 6.0.9, and 5.2.11. Stability and security fixes across all supported branches.
  • Element Web v1.12.20 (May 27). Matrix client update with v1.12.19 on the same day. Sliding sync stabilization and call UI improvements.
  • Wekan v9.32 (May 31). Follow-up to v9.31 (May 27). Board-search performance and CardKanban view fixes.
  • Matomo 5.10.1 (May 29). Patch on the 5.10 line of the privacy-friendly analytics platform.
  • Apache Airflow 3.2.2 (May 29). Patch on the 3.2 line. DAG processing and scheduler fixes.

What Stood Out This Week

1. The Ghost CVE is the headline. A CVSS 9.4 SQL injection sitting in Ghost for years, now actively exploited with 700+ confirmed compromises, is the kind of story that ends careers. If you self-host Ghost on a version older than 6.19.1, stop reading this and go upgrade. We are running 6.43.x on this blog and are protected.

2. Directus 12.0.0-rc.1 is a big deal. Major version jumps in headless CMS land are rare and usually break things. The RC is a chance to test schema migrations and permission changes before stable. Don't push to prod, but do spin up a staging instance and run your client schemas through it.

3. Authentik's three-line patch shows the LTS model working. Most projects let you stew on a vulnerable version when they release a new major. Authentik backported the same fix to 2026.5, 2026.2, and 2025.12 on the same day. That's how a serious identity provider should treat its installed base.

4. Mattermost's four-version patch wave. Same pattern: v11.7.2, v11.6.4, v11.5.7, and v10.11.19 all on the same day. If you delayed your last Mattermost upgrade, you have a clean path forward on whichever ESR line you're sitting on.

Deploy or Upgrade with One Click

Every service in this week's list is available as a one-click managed deployment on Elestio. Our infrastructure handles backups, SSL, and version updates so you can spend your weekend on things other than catching up on CVE patches.

Thanks for reading. See you next Sunday for the next round.

Sign up for more like this.

Enter your email
Subscribe