Sign in Subscribe
Catalog Updates

Elestio Catalog Updates: 9 New Releases This Week (June 22-28, 2026)

Michael Soto

3 min read
Share
Elestio Catalog Updates: 9 New Releases This Week (June 22-28, 2026)

If last week was quiet, this one made up for it. Nine services in the Elestio catalog shipped releases between June 22 and 28, and the dominant theme was security: Grafana cleared a stack of CVEs, Meilisearch and Mastodon both pushed urgent patches, and Weaviate closed an SSRF hole. If you run any of these, this is a patch-first week. Here is everything worth knowing.

Security alerts

Several releases this week exist primarily to fix vulnerabilities. Treat these as priority upgrades:

  • Grafana 13.0.3 and its backports (12.4.5, 12.3.8, 12.2.10, 11.6.16) patch a batch of seven CVEs, including CVE-2026-9029 and CVE-2026-33382. If your Grafana is exposed, update now.
  • Meilisearch 1.48.2 (and the 1.47.1 backport) fix CVE-2026-57824, a privilege escalation affecting index-scoped API keys, and CVE-2026-57823, an information disclosure affecting tenant tokens. The maintainers report no evidence of exploitation in the wild.
  • Mastodon 4.6.2, plus 4.5.13 and 4.4.20, ship a fix for CVE-2026-8461 in FFmpeg and are flagged as critical if you run the Docker images. A separate 4.5.12 release also hardened LDAP TLS verification.
  • Weaviate 1.38.2 validates module base-URL request headers to close an SSRF vector.
  • n8n 1.123.60 rolled up fixes for a pile of dependency CVEs across tmp, protobufjs, ws, and axios.

Databases

  • Weaviate v1.38.2 (June 25). Beyond the SSRF fix above, this one improves HFresh vector index handling, adds parallel pre-fill for the uncompressed vector cache, and ships a new generative-deepseek module. Backports landed in 1.37.10 and 1.36.19.
  • ClickHouse v26.6.1 (June 25). A fresh stable release for the analytics database, alongside an LTS bump to 26.3.15.4 (June 23) for teams that stay on long-term support. Full binaries for amd64 and arm64 as always.

AI and GPU

  • Ollama v0.30.11 (June 25). Adds thinking-capability detection for OpenCode and auto-installation of Claude Code, fixes GPU classification on Windows hybrid-graphics machines, and unifies speculative decoding in the MLX runner. Memory efficiency also improved through smarter multimodal projector offloading.

Development

  • n8n 2.27.4 (June 24). The stable line picked up a Google Ads node API upgrade (v20 to v21) and fixes for Python relative imports and chained node building. The 1.123.60 maintenance release on June 22 carried the dependency security fixes noted above.
  • Meilisearch v1.48.2 (June 24). The security patch is the headline, but 1.48.0 earlier in the week also introduced experimental template rendering and refined filter support for the search engine.

Hosting and infrastructure

  • Grafana 13.0.3 (June 23). The security fixes dominate, but the release also bumps the Docker Alpine base image to 3.23.4 and improves provisioning so a _folder.json is written when you create dashboards in new folders. The point releases across older branches add a datasource UID validation fix.

Applications

  • Mastodon 4.6.2 (June 25). Security-driven, but the 4.6.1 release the day before added avatar and header description fields to the API and fixed emoji database loading.
  • Rocket.Chat 8.6.0-rc.2 (June 26). The 8.6 release candidate firmed up this week with a federation message-syncing fix and a two-factor authentication fix for personal access tokens. Worth tracking ahead of the stable cut.
  • Immich v3.0.0-rc.3 (June 26). The photo platform's v3 inches closer, adding a webhook workflow action, keyboard seeking in the new video player, and a batch of detail-panel and external-library fixes.

What stood out this week

A few releases are worth more than a line:

  1. Grafana's CVE sweep. Seven CVEs in one coordinated release is a lot, and Grafana sits at the center of most self-hosted monitoring stacks. This is the upgrade to do first.
  2. Meilisearch's API-key privilege escalation. If you hand out scoped or tenant-token keys, this is exactly the kind of bug that turns a limited key into more than you intended. Patch to 1.48.2.
  3. Mastodon's FFmpeg fix. Media-processing CVEs are easy to underestimate until someone uploads a malicious file. The fix spans three release branches, so there is no excuse to stay behind.
  4. Immich v3 nearing the finish line. Webhook actions plus the workflow engine mean Immich is quietly becoming automatable, not just a photo viewer. The stable v3 looks close.

Run any of these on Elestio

Every service above is available as a fully managed, one-click deployment on Elestio, with automated updates, backups, and monitoring so the patch-now weeks are less of a scramble. Browse the full catalog of 400+ open-source apps at elest.io/fully-managed-services.

That is the week. Heavier on security than features, which is a good reminder that running your own software means owning the upgrade cadence. Patch the exposed ones today. Thanks for reading ❤️ See you next Sunday 👋

Sign up for more like this.

Enter your email
Subscribe