Elestio Catalog Updates: 28 New Releases This Week (March 22-29, 2026)
Every week, the open-source projects in the Elestio catalog ship new versions — security patches, performance boosts, entirely new features. Keeping up is a full-time job. So we're doing it for you.
Here's everything that shipped across our 400+ managed services during the week of March 22-29, 2026. If you're running any of these on Elestio, now's a good time to check your versions.
Security Alerts
Before anything else — these need your attention:
- Grafana CVE-2026-27876 — Critical RCE via SQL expressions. Affects v11.6.0+ and v12.1.0+. Upgrade immediately.
- Langflow CVE-2026-33017 — CVSS 9.3 unauthenticated RCE, exploited in the wild within 20 hours. Fixed in v1.9.0+.
- Mastodon — Quote authorization bypass + open redirect. Patched in v4.5.8.
- BookStack — Role escalation via registration form manipulation. Patched in v26.03.2.
Databases
ClickHouse v26.3.2.3-lts (Mar 27) — Production-ready full-text search with native inverted indexes, QBit quantized vector type for ANN search, 3.2x faster RIGHT/FULL JOINs.
TimescaleDB v2.26.0 (Mar 24) — ColumnarIndexScan enabled by default (was experimental), smoother continuous aggregate refresh behavior.
Redis v8.6.2 (Mar 24) — Reply copy-avoidance for reduced memory copies, hash field/value struct unification, SCAN filter order restored.
Milvus v2.6.13 (Mar 23) — Replication topology inspection, configurable TLS for object storage, memory leak fixes in segment loading.
Weaviate v1.36.7 (Mar 25) — HFresh vector index (preview), 5 features graduated to GA including async replication and object TTL.
AI & GPU
Dify v1.13.3 (Mar 27) — Human-in-the-Loop workflows, execution engine upgrades, regression fixes for LLM plugin invocations.
Langflow v1.8.3 (Mar 26) — Global model provider setup, V2 API endpoints (beta), critical CVE-2026-33017 security patch.
Open WebUI v0.8.12 (Mar 27) — Terminal server verification routed through backend to prevent API key exposure and CORS errors.
FlowiseAI v3.1.1 (Mar 23) — JSON/Code/SelectVariable input types, Markdown RichInput with edit/source toggle, GPT-5.4-mini and GPT-5.4-nano models.
Ollama v0.18.3 (Mar 25) — Cloud model listing fixes, GLM tool call fix, improved proxy stream stability.
LobeChat v2.1.46 (Mar 26) — Notification system with delivery tracking, BM25 full-text search with ICU tokenizer, agent document storage.
Gradio v6.10.0 (Mar 24) — New Server mode (gradio.Server), Prediction CLI commands, core themes.
Development Tools
GitLab v18.10.1 (Mar 25) — Critical security and bug fix patch, database migrations included.
Jenkins v2.556 (Mar 24) — Spring Security v7 upgrade, experimental Run UI API.
N8N v2.13.4 (Mar 26) — AI Agent Node MCP tool call fix, non-blocking webhook cache writes for better performance.
Directus v11.17.0 (Mar 24) — Background data imports with configurable timeout (1h default), build performance boost via oxc-transform.
Meilisearch v1.40.0 (Mar 23) — mimalloc v3 significantly cuts memory usage, federated search ~100ms faster, new task compaction endpoint.
Hasura v2.48.14 (Mar 25) — Fixed gzipped response GC pauses, event trigger duplication, MySQL self-referencing table queries.
Appsmith v1.98 (Mar 23) — Redis TLS support, table row color styling properties, SQL injection prevention fix.
Zitadel v4.13.0 (Mar 23) — Webkeys upgraded to v2, HTTP/2 memory leak fix, pre-user-creation org existence checks.
ToolJet v3.20.133-lts (Mar 27) — Multiple LTS patches throughout the week.
Hosting & Infrastructure
Grafana v12.4.2 (Mar 25) — CRITICAL: CVE-2026-27876 — SQL expressions allowed arbitrary file writes leading to RCE. Upgrade now.
Portainer v2.40.0 (Mar 25) — Custom banners for environment groups, experimental Docker Compose-to-Kubernetes migration via Kompose.
Loki v3.7.0 (Mar 26) — New loki health command, Promtail deprecated in favor of Grafana Alloy, Helm chart moved to community maintenance.
Applications
Metabase v0.59.3 (Mar 23) — Data Studio, AI SQL generation now available in open-source edition, box-and-whisker plots.
Ghost v6.24.0 (Mar 27) — Transistor.fm podcast embedding integration, comment fingerprint blocker workaround.
Nextcloud v33.0.1 (Mar 26) — File search improvements with upload_time support, theming and SFTP handling fixes.
Mastodon v4.5.8 (Mar 24) — SECURITY: Quote authorization bypass fix + open redirect patch. Backported to v4.4.15 and v4.3.21.
Immich v2.6.3 (Mar 26) — Mobile upload timeout removed, web viewer horizontal scroll fix.
Chatwoot v4.12.1 (Mar 25) — AI reply composer improvements, agents can now type snooze times in plain language.
Element v1.12.13 (Mar 24) — New picture-in-picture designs for Element Call, Widget and Room Header Buttons module APIs.
BookStack v26.03.2 (Mar 23) — SECURITY: Registration form role manipulation fix. Upgrade immediately if registration is enabled.
What Stood Out This Week
ClickHouse v26.3 LTS is the big one. Production-ready full-text search means you can now run text queries natively without bolting on Elasticsearch. Combined with the new QBit vector type, ClickHouse is quietly becoming a multi-modal analytics engine.
Meilisearch v1.40 deserves a mention — upgrading mimalloc from v2 to v3 meaningfully reduced memory usage on large indexes, and federated search got ~100ms faster. If you're running multi-index search, this is a free performance win.
Dify v1.13 introduced Human-in-the-Loop for AI workflows — a feature teams have been requesting for production AI pipelines where you need a human approval step before the agent takes action.
And if you haven't patched Grafana yet, do it now. CVE-2026-27876 is as bad as it sounds — arbitrary file writes leading to remote code execution.
Deploy or Update on Elestio
All of these services are available on Elestio with one-click deployment starting at $16/month. Managed updates, automated backups, and SSL included.
Thanks for reading. See you next Sunday.