[!CAUTION] This release contains critical security updates for CVE-2026-25726; please update as soon as possible. Updating to this version will cause the following unavoidable side effects:

• All active login sessions will be invalidated;
• Existing direct links for non-redirected local storage policies will become invalid (URLs containing ?sign=xxx);
• Other signed temporary links that have not yet expired will become invalid (URLs containing ?sign=xxx).

---

• If your database was first initialized with Cloudreve version >= 4.10.0, this security vulnerability does not affect you.
• Specific details will be disclosed 60 days after this release.

• Fix: Use cryptographically secure random number generator for sensitive fields (Kudos to @orenyomtov)
• Improvement: File list tooltips should no longer obstruct downward mouse movement (#3170)
• Improvement: Performance optimization for drag-selection of files
• Fix: Unable to drag and drop files in list view (#2937)
• Fix: Inaccessible direct links for newly created empty files (#3239)
• Fix: 500 error when uploading to SeaweedFS S3 storage policies (#3265)
• Fix: OAuth endpoint handling of code_challenge inconsistent with documentation (#3261)