I2P-Bote 0.4.5 fixes a security vulnerability present in all earlier versions of the I2P-Bote plugin. The Android app was not affected.

When showing emails to the user, most fields were being escaped. However, the filenames of attachments were not escaped, and could be used to execute malicious code in a browser with JavaScript enabled. These are now escaped, and additionally a Content Security Policy has been implemented for all pages.

All I2P-Bote users will be upgraded automatically the first time they restart their router after I2P 0.9.29 is released in mid-February. However, for safety we recommend that you follow the instructions on the installation page to upgrade manually if you plan on using I2P or I2P-Bote in the intervening time.