# HG changeset patch # User Alain Mazy # Date 1768836902 -3600 # Node ID 54892594ebe13fb5e5d6b97f020dd353947c8cae # Parent 63904b9a5267247d165202fe8226e10fa411129c security flaw credits diff -r 63904b9a5267 -r 54892594ebe1 NEWS --- a/NEWS Mon Jan 19 16:30:14 2026 +0100 +++ b/NEWS Mon Jan 19 16:35:02 2026 +0100 @@ -13,6 +13,7 @@ - "orthanc_logged_warnings_count" * Fixed a security issue where one could hijack HTTP headers in the response through the `filename` argument of "/.../file" or "/.../archive" routes. + (credits: Pavel Kohout, Aisle Research. www.aisle.com) * In tools/find, filtering against "LabelsConstraint": "None" with an empty "Labels" list now returns all resources that do not have any labels attached instead of returning all resources. This applies to the default SQLite DB and will apply to the next PostgreSQL plugin (v 10.1)