Syncthing v1.23.5 🚨 contains security fix


Security :rotating_light:

This release fixes CVE-2022-46165 “Cross-site Scripting (XSS) in Web GUI”:

  1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically.
  2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page.


  • #8503: “syncthing cli config devices add” reflect error when using --addresses flag
  • #8764: Ignore patterns creating during folder addition are not loaded
  • #8778: Tests fail on Windows with Go 1.20
  • #8779: Test cleanup fails all model tests on Windows on Go 1.20
  • #8859: Incorrect handling of path for auto accepted folder

Other issues

  • #8799: “fatal error: checkptr: converted pointer straddles multiple allocations” in crypto tests

Thanks. It looks like the usual asc file is missing on Release v1.23.5 · syncthing/syncthing · GitHub (

1 Like

Indeed, I will see if I can produce it after the fact. There’s a build issue on it, which I forgot try to fix before release time.


That seems to have worked. I’ve just updated the submit request for openSUSE to include the GPG check again.

This topic was automatically closed after 30 days. New replies are no longer allowed.