Sign in Subscribe
Self-Hosted Weekly

Self-Hosted Weekly: Week 18, 2026. Mistral 3.5 Lands, Hashimoto Quits GitHub, cPanel CVSS 10

Michael Soto

5 min read
Share
Self-Hosted Weekly: Week 18, 2026. Mistral 3.5 Lands, Hashimoto Quits GitHub, cPanel CVSS 10

If you ran a self-hosted stack this week, you probably felt the ground move. Mistral dropped a 128B model that fits on four GPUs, Mitchell Hashimoto walked Ghostty off GitHub, and a cPanel zero-day got everyone scrambling before the weekend. Plus a new self-hosting box, a Home Assistant beta, Proxmox HA finally working like you'd expect, and an Immich update that fixes the dedup mess. Eight stories below, with hot takes you can use.

1. Mistral Medium 3.5 Lands With Self-Hostable 128B Weights

Mistral shipped Medium 3.5 on April 29, and the headline number is the one that matters: 128 billion dense parameters, 256k context, runs on as few as four H100s or H200s, released under a modified MIT license. Benchmarks have it at 77.6% on SWE Bench Verified. That puts a serious agentic coding model on the menu for anyone willing to budget a 4x80GB GPU node.

Hot take: This is the release that makes "self-hosted enterprise AI" stop sounding like a slide deck. Four H100s isn't cheap, but it's a one-time CapEx that pays back fast against per-token API bills. If you've been waiting to bring inference in-house, start sizing the box.

2. Mitchell Hashimoto Pulls Ghostty Off GitHub

The HashiCorp co-founder, GitHub user #1299, opened the platform every day for 18 years. On April 29 he wrote that GitHub is "no longer a place for serious work" and started moving Ghostty to a yet-unnamed forge. The post landed days before another April 28 incident where pull requests silently failed because of an Elasticsearch issue.

Hot take: Hashimoto isn't some random angry contributor. When the guy who built Vagrant, Terraform, and Vault publicly leaves your platform, that's a market signal. Expect Forgejo, Codeberg, and self-hosted Gitea instances to see a noticeable bump in the next 30 days. If you've been on the fence about mirroring critical repos to your own forge, stop being on the fence.

3. cPanel Hit With CVSS 10 Auth Bypass, Already Exploited

CVE-2026-41940 went public on April 28: a missing authentication check on a critical cPanel & WHM endpoint that lets unauthenticated attackers take full control of the host, configs, databases, and every site on it. CISA added it to the Known Exploited Vulnerabilities catalog on April 30. Evidence shows it was being exploited for months before disclosure.

Hot take: If you run cPanel anywhere, patch yesterday and assume compromise. The hosting industry is going to spend the next month cleaning this up. Self-hosters running their own LAMP stacks without cPanel aren't directly affected, but the lesson is the same one we keep repeating: pinned major versions on a managed platform with automated patching is no longer a luxury, it's the floor.

4. ZimaCube 2 Lands With GPU-Ready Self-Hosting Hardware

IceWhale launched ZimaCube 2 on April 29 with three configurations: a $799 base box (i3, 8GB DDR5, dual 2.5GbE), a $1,299 Pro (i5, 16GB, onboard 10GbE, four NVMe slots at 3,200 MB/s), and a $2,499 Creator Pack with 64GB RAM and an NVIDIA RTX PRO 2000 GPU. ZimaOS ships one-click deploys for Plex, Jellyfin, Immich, Nextcloud, Home Assistant, and the rest.

Hot take: The Creator Pack is the interesting one. A pre-built homelab with a discrete GPU at $2,499 hits a price point that didn't really exist before. Great as a starter. If you outgrow it or want zero hardware ownership, managed infra is still the path.

5. Home Assistant 2026.5 Beta Brings RF Platform And Matter Radon

The 2026.5 beta dropped April 29 with the foundation for Project Blast (combining infrared and radio frequency in one device), a redesigned vacuum control surface, and official support for Matter 1.2 radon sensors. Release party is May 6.

Hot take: The RF platform is the sleeper feature. Most homelabs already have IR via the 2026.4 work, but RF unlocks a whole class of older devices (garage doors, blinds, weather stations) that have been awkward to integrate. If you've been duct-taping rtl_433 onto Home Assistant, this is the cleanup you've been waiting for.

6. Proxmox Backup Server 4.2 And VE 9.1.8 Ship HA Rebalancing

April 29 was a busy day. Proxmox Backup Server 4.2 released on Debian 13.4. More importantly, Proxmox VE 9.1.8 finally added automatic HA workload rebalancing, the gap that's been embarrassing Proxmox vs vSphere/Nutanix for years.

Hot take: This is the release that closes a real feature gap. Anyone who left Proxmox for VMware citing HA maturity should re-evaluate. With the broader VMware exodus still in motion post-Broadcom, Proxmox just made the migration story considerably easier to sell internally.

7. Immich v2.7.5 Cleans Up Deduplication

The popular Google Photos alternative shipped 2.7.5 with reworked duplicate detection. The system now analyzes image size and EXIF metadata to suggest which asset to keep, and automatically syncs critical metadata between duplicates before merging.

Hot take: Anyone who has migrated 50,000+ photos into Immich knows the dedup pain. The previous flow asked you to make decisions one at a time without enough context. This update is small in scope, big in quality of life.

8. DeepSeek V4-Pro and V4-Flash Take The Open-Weight Crown

On April 23, DeepSeek released V4-Pro and V4-Flash under MIT, with V4-Pro overtaking Moonshot's Kimi K2.6 (1.1T) and Z.ai's GLM-5.1 (744B) as the largest open-weight model ever shipped. Combined with Qwen 3.6-35B-A3B (April 16, Apache 2.0), the open-weight world covers every size class enterprises care about.

Hot take: The benchmark gap to GPT-5.5 and Claude is now single digits on the evaluations that actually drive procurement. The "we have to use closed APIs because the open models aren't good enough" excuse is officially retired. Self-host or use a managed open-weight host. Either works.

What We're Watching Next Week

Story Why It Matters
Home Assistant 2026.5 GA (May 6) First stable build with the RF platform. Expect community integrations to follow within days.
cPanel post-patch fallout Mass-hosting providers will be reporting incidents. Watch for downstream WordPress and Joomla compromise reports.
Where Ghostty lands Hashimoto said discussions are ongoing with both commercial and FOSS forges. Whoever wins gets a halo effect.
Mistral 3.5 community fine-tunes Expect the first community-tuned variants on Hugging Face within 7 to 10 days.

The Bottom Line

This was a week about maturity. Open-weight AI crossed the line where you no longer need to apologize for choosing it. Self-hosting hardware ships pre-built with discrete GPUs. Proxmox is real HA-grade infrastructure. The cPanel CVE is the counterweight: managed platforms are only as good as their patch discipline.

The gap between "self-hosted hobby" and "self-hosted production" keeps closing. If you'd rather skip the GPU sizing and HA tuning, Elestio deploys Mistral, Home Assistant, Immich, Forgejo and 400+ others on managed infrastructure with automatic patching, backups, and 24/7 monitoring.

Thanks for reading ❤️

See you next Friday 👋

Sign up for more like this.

Enter your email
Subscribe