Elestio Catalog Updates: 8 Notable Releases This Week (March 29 - April 5, 2026)

Another week, another round of releases across Elestio's 400+ open-source catalog. This week was dominated by security patches — two critical CVEs got fixed, Jellyfin shipped urgent security updates, and Ollama went on a patch marathon with three back-to-back releases. Let's get into it.

Security Alerts

Three patches you should apply immediately if you're running affected versions:

• Jellyfin 10.11.7 — Contains several critical security fixes with CVEs scheduled for disclosure in 14 days. Users of ALL prior versions should upgrade immediately.
• Payload CMS 3.79.1 — Patches CVE-2026-34751 (CVSS 9.1), a critical account takeover flaw via Host header injection and weak token validation in the password recovery flow.
• Docker Engine 29.3.1 (Moby) — Patches CVE-2026-34040 (CVSS 8.8), an AuthZ plugin bypass using oversized request bodies.

AI/GPU Releases

• Ollama v0.20.0 (April 2) — New major release with updated defaults and app home view changes.
• Ollama v0.20.1 (April 3) — Patch release fixing regressions from 0.20.0.
• Ollama v0.20.2 (April 4) — Defaults the app home view to new chat instead of launch screen.

Beyond the Ollama series, Google released Gemma 4 under Apache 2.0 on April 2 — four open-weight models (E2B, E4B, 26B-A4B MoE, and 31B Dense) now runnable locally via Ollama. The 31B variant currently sits at #3 on the Arena AI text leaderboard.

Development Releases

• Supabase April Updates — Log Drains now available on Pro tier (Postgres, Auth, Storage, Edge Functions, and Realtime logs can stream to Datadog, Grafana Loki, Sentry, Axiom, S3). Object listing is 14.8x faster on 60M+ row datasets. New rate limit on recursive Edge Function calls (5,000 requests/min per chain).

Hosting & Infrastructure Releases

• Docker Engine 29.3.1 — Security patch release (see Security Alerts above).

Applications Releases

• Jellyfin 10.11.7 — Stable release with critical security fixes, performance improvements, and bug fixes. Upgrade immediately.
• Nextcloud 33.0.2 (April 2) — Patch release in the Hub 26 Winter series with bug fixes and stability improvements.
• Metabase 59 — Introduces Data Studio (analyst workbench), AI SQL generation in the Open Source edition, and boxplot chart support.
• Payload CMS 3.79.1 — Critical security patch (see Security Alerts above).

What Stood Out This Week

1. Payload CMS's textbook auth failure. CVE-2026-34751 combined two classic mistakes: trusting the HTTP Host header for password reset URLs, and using partial token matching (SQL LIKE %value%) on high-entropy auth tokens. Both are in every security checklist, yet they shipped. A reminder that auth flows need dedicated review, not just code review.

2. Ollama's rapid-fire patch cycle. Three releases in three days isn't necessarily a bad sign — it means the team is actively responding to feedback from the 0.20.0 launch. The new default home view (new chat instead of launch) is a small UX win that anyone using Ollama daily will appreciate.

3. Metabase 59's AI SQL generation going open-source. This is a meaningful move. Natural-language-to-SQL has been paywalled or API-dependent in most BI tools. Bringing it to the open-source edition lowers the barrier for teams that want self-hosted analytics without sending schema data to third-party AI services.

4. Supabase's 14.8x faster object listing. Storage performance on large buckets has been a consistent complaint. If you're running self-hosted Supabase with millions of objects, this alone is worth the upgrade.

Deploy Updated Versions on Elestio

All of these services are one-click deployable on Elestio. Updates roll out automatically on managed instances, so you get security patches without lifting a finger.

Browse the full catalog at elest.io/fully-managed-services.

That's it for this week. Patch your stacks, upgrade your AI models, and we'll see you next Sunday.

Thanks for reading ❤️ See you in the next one 👋