Self-Hosted Weekly: Week 17, 2026. K8s Scale-to-Zero Lands, Cal.com Goes Closed, and a CVSS 10 Hits AVideo
Another loaded week in the self-hosted world. Kubernetes finally turned on the feature people have been asking about for seven years, Cal.com made a decision that lit up every tech forum, and a CVSS 10.0 dropped on a video platform you might actually be running. Let's get into it.
1. Kubernetes v1.36 ships with HPA Scale-to-Zero on by default
Released April 22. Version 1.36 includes 80 enhancements, but the headline is HPAScaleToZero going on by default after sitting as a feature gate since v1.16 in 2019. Your Horizontal Pod Autoscaler can now scale a deployment to zero replicas when nothing's queued, and scale back up when demand returns. You still need an external signal (KEDA is the usual pick) to wake it up.
Also in the release: SELinux mount options went stable (fixes slow pod startup on SELinux nodes), the gitRepo volume plugin was removed (it was a known security risk), and IPVS mode in kube-proxy is gone.
Hot take: Seven years to flip a default is peak Kubernetes. But if you run staging clusters, batch pipelines, or anything with idle windows, this is a real money lever. Teams are already reporting 60–70% cost reductions on non-prod environments. Kubernetes won't wake itself up, though. You need KEDA or a similar metrics bridge.
2. CVE-2026-40911: WWBN AVideo ships a CVSS 10.0 RCE
Max-severity. Published April 21. The YPTSocket plugin in WWBN AVideo v29.0 and earlier fails to sanitize WebSocket JSON payloads before relaying them to connected clients. An unauthenticated attacker can broadcast arbitrary JavaScript to every active user, including admins. Result: universal account takeover, session theft, and privileged action execution with no login required.
Hot take: CVSS 10.0 is the kind of number that doesn't come up often. If you run AVideo, stop reading this digest and patch. WebSocket relay servers that trust client payloads are a recurring pattern we keep seeing, and it's why input validation needs to live at the broker, not the consumer.
3. CVE-2026-41167: Jellystat SQL injection escalates to RCE
Published April 22, CVSS 9.1. Jellystat (the stats dashboard for Jellyfin) was interpolating raw request-body fields into SQL queries via node-postgres's simple query protocol, which allows stacked queries. An authenticated user can read the app_config table (contains admin creds and the Jellyfin API key) and escalate to arbitrary command execution on the Postgres host via COPY ... TO PROGRAM. Fix lands in v1.1.10.
Hot take: Two lessons. One: pg's parameterized queries exist for a reason, and raw string interpolation in 2026 is gambling. Two: a "statistics dashboard" sounds low-risk, but it often holds the keys to everything it monitors. Audit the blast radius of your observability tools.
4. CVE-2026-32613: Spinnaker CVSS 9.9 JVM sandbox escape
Published April 20. Spinnaker (Netflix's open-source continuous delivery platform) wasn't restricting code execution context to trusted classes in SpEL evaluation, giving users full JVM access to invoke arbitrary Java, run commands, and read files. Patched versions are out. If you run Spinnaker in production, this is an upgrade-this-weekend situation.
Hot take: SpEL (Spring Expression Language) has been a recurring source of critical CVEs across the Java ecosystem for years. If your CD platform lets users write expressions, that's a trust boundary by definition.
5. Cal.com goes closed source, citing AI
Cal.com moved its production codebase to a private repo on April 15. Co-founder Bailey Pumfleet's reasoning: AI-driven SAST tools (Gecko Security's engine in particular) can now scan a public repo for chained auth-control bugs at scale. In January, Gecko found a chain of three vulnerabilities in Cal.com Cloud that enabled full account takeover. The closed-source decision followed three months later. A public version, calcom/cal.diy, remains self-hostable.
Hot take: This is the argument open source has been avoiding for two years, and it's going to get louder. "AI can find bugs faster than we can fix them" is not a stable equilibrium. Expect more mid-sized projects to split into a public "community" edition and a private "cloud" edition. The interesting question is whether this becomes a trend or stays an outlier.
6. Forgejo v15.0 LTS drops (the 100th release)
| Release | Date | Supported until |
|---|---|---|
| Forgejo v11.0 (previous LTS) | 2025 | 16 July 2026 |
| Forgejo v15.0 (new LTS) | 16 April 2026 | July 2027 |
The 100th Forgejo release, and the second LTS. Highlights: repository-specific access tokens, OpenID Connect support for Forgejo Actions, reusable workflows that expand into individual jobs for better log visibility, and a new web-based runner registration flow.
Hot take: Forgejo has become the quiet alternative that just works. If you're still running a Gitea fork from 2022 or locked into a commercial Git host you don't need, v15.0 LTS is a clean migration target. The Actions maturity in particular is closing the gap with GitHub Actions for self-hosted shops.
7. Valkey turns two, and the Redis fork is winning
RedMonk published a two-year retrospective on April 6. Summary: Valkey (backed by AWS, Google Cloud, Oracle, Ericsson, Snap, and the Linux Foundation) has become the default Redis fork for cloud distributions. Valkey 9 added multiple logical databases in cluster mode, atomic slot migration, and official modules for JSON, Bloom filters, and vector search. A benchmarked 1 billion requests/sec on a 2,000-node cluster went mostly uncontested.
Hot take: The 2024 license shift at Redis Inc. lit the match. The ecosystem did the rest. If you're still pinning to Redis 7.2 out of inertia, Valkey 9 is a drop-in replacement with real features Redis doesn't have. This is what a successful fork looks like.
8. Open Source Endowment picks up steam, OpenAI keeps buying OSS
Two threads worth watching together. The Open Source Endowment (founded by Konstantin Vinogradov, backed by Dohmke, Hashimoto, Copplestone, the Vue.js and cURL creators) now has 501(c)(3) status and $750K+ in commitments toward a $100M seven-year target. Meanwhile, OpenAI has already matched its entire 2025 acquisition count, including snapping up Promptfoo (open-source LLM evals) in April after grabbing Astral (uv, ruff) in March.
Hot take: Two models for "how do we fund open source." One says: permanent endowment, principal untouched, steady yield to maintainers. The other says: a trillion-dollar AI lab buys your project and makes it a product feature. Both will probably exist in parallel. Neither alone solves the maintainer burnout problem.
What we're watching next week
- Immich managed backup is in community feedback phase. An end-to-end encrypted managed option changes Immich's positioning dramatically.
- Kubernetes 1.36 in production. Expect scale-to-zero horror stories and cost reports in the next 2–3 weeks.
- Collabora's fork plans after the Document Foundation bylaws vote. The Euro-Office saga keeps evolving.
The bottom line
Two max-severity CVEs, a significant Kubernetes release, a major open-source defection, and a milestone LTS all in seven days. If you run AVideo, Spinnaker, or Jellystat, patch first and finish reading later. If you run Kubernetes clusters that sit idle, v1.36 just handed you a budget win. And if you're watching the broader trend: the Cal.com decision is going to be the week's most-debated story long after the CVEs are patched.
Running any of this stack? Elestio manages Kubernetes, Forgejo, Jellyfin, Valkey, and 400+ other open-source services with automated updates and backups, so your patching window doesn't depend on whether someone on the team noticed the CVE feed.
Thanks for reading ❤️ See you next Friday 👋