Weekly Recap - May 24 to May 31, 2026
The week was dominated by two currents: a high-urgency OAuth-binding vulnerability in Miniflux and a step-function model release from Anthropic. Miniflux 2.3.1 arrived flagged Patch now for an account-hijack vector in its OAuth implementation, placing it alongside Bitcoin Optech's disclosure of a remote Core Lightning crash vulnerability as the week's hardest security signal. AI infrastructure saw Claude Opus 4.8 land mid-week with claimed strength in agentic work and long-running tasks, while llama.cpp maintained its rapid patch cadence with seven tagged builds addressing vision models, tensor alignment, and operator ergonomics. Privacy tooling shipped a cluster of minor releases: Vanadium tracked Chromium through 149.0.7827, Thunderbird for Android reached major version 19 with notification-action configuration, DAVx5 and Radicale both landed patch releases addressing CalDAV edge cases. The Lightning beat remained quiet; lnd's third 0.21.0 release candidate advanced payment-store migration to native SQL, but no stable releases shipped.
Threads
CalDAV-adjacent releases cluster around calendar-sync edge cases
DAVx5 4.5.13-ose and Radicale 3.7.4 both shipped fixes for shared-calendar PROPFIND handling and href mapping, while Thunderbird for Android 19.0 added notification-action configuration. The timing suggests ongoing polish in the CalDAV stack as operators move calendar workflows off centralised providers. All three are Test severity; operators with non-ASCII vCard filenames or shared calendars should prioritise DAVx5 and Radicale.
Vision-model precision fixes dominate llama.cpp releases
llama.cpp shipped seven tagged builds across the week, with b9411 adding DeepSeek V3.2 DSA support, b9414 introducing DeepSeek-OCR 2 multi-tile dynamic resolution, and b9367 landing Vulkan cooperative-matrix decode for faster matmul. The cluster suggests upstream vision-model adoption is driving operator-visible precision and performance work. Operators running vision workloads should track the b94xx series.
Major password-manager releases ship with minimal operator impact
Bitwarden delivered a coordinated 2026.5.0 wave across server, browser, CLI, and Android Authenticator, while Proton Pass CLI reached 2.1.2. Both sets of releases noted under-the-hood improvements but surfaced no migration steps or breaking changes. Operators can defer upgrades unless autofill URI-matching behaviour matters.
Patch board
- Bitcoin Optech Newsletter #407 (Patch now). This week’s newsletter announces the responsible disclosure of a vulnerability that allowed a remote peer to crash Core Lightning nodes and links to transcripts from a recent Bitcoin Core developer…
- Miniflux 2.3.1 (Patch now). Security Fixed an OAuth account binding vulnerability that could allow users to associate arbitrary OAuth identities with their account.
Releases
- JoinMarket-NG 0.31.1. Fixed - Install whiptail in maker and taker images so the jm-ng TUI works out of the box (72ea101e) - Fix jmwalletd crash on startup in Flatpak (ModuleNotFoundError: No module named ‘tumbler’) (b4df30ff) - Prevent a Sybil DoS where relay…
- lnd 0.21.0-beta.rc3. Database Migrations https://github.com/lightningnetwork/lnd/issues/9861: This migrates the payment store from the KV format to native SQL.
- Keystone 3 2.4.4. Release notes Details Web3: Improvements 1.
- Thunderbird for Android K-9 Mail 19.0. New: - Message notification actions can be configured ( 3530) - Message font size scales with device preferences ( 10692) - Integrate an easily discoverable way to configure and use Thundermail ( 10866, 10958, 10994) Fixed: - Thunderbird…
- Thunderbird for Android Thunderbird 19.0. New: - Message notification actions can be configured ( 3530) - Message font size scales with device preferences ( 10692) - Integrate an easily discoverable way to configure and use Thundermail ( 10866, 10958, 10994) Fixed: - Thunderbird…
- Frostsnap 0.3.0. Firmware digest (deterministic build): 6273dc08ca7c805fa70ac8feeb98c62f7b6fcb337fb1cd8412f24f0d6dda51f7 Stay Frosty.
- Blink Mobile 2.4.46. Features - UI/UX launch polish across settings and flows ( 3769) Miscellaneous Tasks - Upgrade blink-mobile to Node 24 ( 3787) - Update iOS build tooling to Xcode 26.5 ( 3785)
- BDK FFI 3.0.0. Release 3.0.0 This is version 3.0.0 of the BDK language bindings!
- LocalAI 4.3.1. What’s Changed Other Changes Fix kokoros backend build break from Backend trait drift by @Copilot in https://github.com/mudler/LocalAI/pull/9972 chore: :arrow up: Update antirez/ds4 to f91c12b50a1448527c435c028bfc70d1b00f6c33 by @localai…
- Vanadium 149.0.7827. Changes in version 149.0.7827.48.0: update to Chromium 149.0.7827.48 improve implementation of the per-site motion sensors site setting added by GrapheneOS A full list of changes from the previous release (version 149.0.7827.22.0) is ava…
- vLLM 0.22.0. Highlights This release features 459 commits from 230 contributors (63 new)!
- Cline 3.85.0. Added - Add GPT-5.5 support to SAP AI Core.
- DAVx5 4.5.13-ose. What’s Changed Bug fixes Move AccountSettings access in CollectionScreenViewModel off main thread by @rfc2822 in https://github.com/bitfireAT/davx5-ose/pull/2217 PushDistributorManagerTest : fix mockking by @rfc2822 in https://github.com…
- Sparrow Frigate 1.5.3. - Add a privacy-preserving hourly aggregate of historical scan stats - Return a locally generated server.features response when the backend server returns a method-not-found error - Improve the hosts field in the server.features response…
- openclaw 2026.5.27-beta.1. Highlights - Stronger security and content boundaries: group prompt text is kept out of the system prompt, repeated-dot hostnames are normalized, side-effecting command wrappers and unsafe Node runtime env overrides are blocked, no-auth…
- llama.cpp b9411. model : support for DeepseekV32ForCausalLM with generic DeepSeek Sparse Attention (DSA) implementation ( 23346) llama : support DeepSeek V3.2 model family (with DSA lightning indexer) convert : handle DeepseekV32ForCausalLM architecture…
- LibreTube 31.4. !NOTE Release Highlights Fixed issues with video playback and channel pages due to recent YouTube API changes.
- Tuta 348.260526.0. Bugfixes - Font size picker does not work 10806 - Pasting a list of emails thats is seperated by newline into the To field only adds the first address 9580 - Fix “upload has been aborted” error 10863 - Investigate: assertNotNull failed o…
- ESP-Miner 2.14. What’s Changed Websocket api by @mutatrum in https://github.com/bitaxeorg/ESP-Miner/pull/1623 Fix error counter in the websocket api by @mutatrum in https://github.com/bitaxeorg/ESP-Miner/pull/1700 Pool disconnect by @WantClue in https:/…
- Fedimint Web Canary Release. fix: flatten RPC payload and use persistent callback in ReactNativeTr…
News
- Qwen Code 0.17.0. What’s Changed fix(cli): surface startup warnings on stderr before TUI render ( 4448 ) by @kagura-agent in 4461 fix(telemetry): improve LogToSpan bridge error info and TUI handling by @doudouOUC in 4482 feat(channels): add Feishu (Lark)…
- Qwen Code 0.16.2. What’s Changed fix(build): clean stale outputs before tsc –build to prevent TS5055 by @doudouOUC in 4453 chore(release): v0.16.1 by @qwen-code-ci-bot in 4467 feat(cli): do not append trailing space for directory completions ( 4092 ) by…
- Hermes Agent 0.15.1. Hermes Agent v0.15.1 (v2026.5.29) Release Date: May 29, 2026 Since v0.15.0: 28 commits 21 merged PRs hotfix release 9 contributors The Patch Release.
By the numbers
- Stories tracked: 109
- Featured: 26
- Releases: 82
- Active sources: 131
- Security patches: 2
- Days covered: 7
Top beats this week
- AI: 49
- Privacy: 34
- Bitcoin: 12
- Nostr: 5
- Lightning: 4
- Freedom Tech: 4
- Unspecified: 1
Read this brief on the web: https://freedomtech.news/posts/2026-05-31-bitcoin-weekly-recap/
No comments yet.
Write a comment