Merge branch 'staging/4.3' into release/4.3

Author: ashvayka

.gitignore

@@ -7,4 +7,4 @@ CNAME
 .idea/**
 **/*.iml
 _config.yml
-/.claude/
+.claude

_config.yml

@@ -83,19 +83,19 @@ release:
   branch: release-4.3
   branch_major_next: master
   # In short form (e.g. 4.3)
-  ver: 4.3.1
+  ver: 4.3.1.1
   # In short form (e.g. 4.3)
-  ce_ver: 4.3.1
+  ce_ver: 4.3.1.1
   # In short form (e.g. v4.3)
-  ce_tag: v4.3.1
+  ce_tag: v4.3.1.1
   # In full form (e.g. 4.3.0, 4.3.0.1)
-  ce_full_ver: 4.3.1
+  ce_full_ver: 4.3.1.1
   # In short form (e.g. 4.3pe)
-  pe_ver: 4.3.1pe
+  pe_ver: 4.3.1.1pe
   # In full form (e.g. 4.3.0PE, 4.3.0.1PE)
-  pe_full_ver: 4.3.1PE
+  pe_full_ver: 4.3.1.1PE
   # In short form (e.g. v4.3)
-  wd_examples_commit: v4.3.1
+  wd_examples_commit: v4.3.1.1
   # >>> EDGE
   edge_ver: 4.3.0.1
   edge_tag: v4.3.0.1

_data/upgrade-instructions-data.yml

@@ -1,4 +1,13 @@
+4.3.1.1:
+  upgradable-from: "4.2.1.x"
+  release-date: Mar 31 2026
+  lts: "true"
+  patch: "true"
+  x: "true"
+  windows:
+    zip: "true"
 4.3.1:
+  vulnerable: "true"
   upgradable-from: "4.2.1.x"
   release-date: Mar 10 2026
   lts: "true"
@@ -21,7 +30,16 @@
   release-date-edge: Jan 21 2026
   lts: "true"
   x: "true"
+4.2.2.1:
+  upgradable-from: "4.2.0"
+  release-date: Mar 31 2026
+  lts: "true"
+  patch: "true"
+  x: "true"
+  windows:
+    zip: "true"
 4.2.2:
+  vulnerable: "true"
   upgradable-from: "4.2.0"
   release-date: Mar 10 2026
   lts: "true"

_includes/docs/pe/releases/releases-table/v4-2-2-1.md

@@ -0,0 +1,8 @@
+### ThingsBoard PE v4.2.2.1 (Mar 31, 2026)
+
+Everything from [CE v4.2.2.1](/docs/releases/releases-table/v4-2-x/#thingsboard-ce-v4221-mar-31-2026){: target="_blank"} with the following fixes.
+
+* Core & Rule Engine
+  * Support combined PEM cert+key for Integration RPC SSL
+  * Update firmware/software on device when adding/removing from group via rule nodes
+  * Fixed originator entity handling for entity count and alarm count datasources in reports

_includes/docs/pe/releases/releases-table/v4-3-1-1.md

@@ -0,0 +1,8 @@
+### ThingsBoard PE v4.3.1.1 (Mar 31, 2026)
+
+Everything from [CE v4.3.1.1](/docs/releases/releases-table/v4-3-x/#thingsboard-ce-v4311-mar-31-2026){: target="_blank"} with the following fixes.
+
+* Core & Rule Engine
+  * Support combined PEM cert+key for Integration RPC SSL
+  * Update firmware/software on device when adding/removing from group via rule nodes
+  * Fixed originator entity handling for entity count and alarm count datasources in reports

_includes/docs/releases/releases-table/v4-2-2-1.md

@@ -0,0 +1,35 @@
+### ThingsBoard CE v4.2.2.1 (Mar 31, 2026)
+
+**What's Changed**
+
+* Security
+  * [#15204](https://github.com/thingsboard/thingsboard/pull/15204) Fixed XSS vulnerability in notification center by @vvlladd28
+  * [#15244](https://github.com/thingsboard/thingsboard/pull/15244) Fixed CVE-2026-24308, CVE-2026-24281 and CVE-2026-24400 by @ViacheslavKlimov
+  * [#15254](https://github.com/thingsboard/thingsboard/pull/15254) Added configurable security headers and env-var-backed CORS configuration by @ViacheslavKlimov
+  * [#15253](https://github.com/thingsboard/thingsboard/pull/15253) Fixed SSRF DNS rebinding bypass, added allow-list by @ViacheslavKlimov
+  * [#15251](https://github.com/thingsboard/thingsboard/pull/15251) Fixed CVE-2026-24281, CVE-2026-24308, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904 by @vvlladd28
+  * [#15278](https://github.com/thingsboard/thingsboard/pull/15278) Fixed CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 + Spring Boot 3.5 by @ViacheslavKlimov
+  * [#15293](https://github.com/thingsboard/thingsboard/pull/15293) Fixed CVE-2026-33228 by @vvlladd28
+  * [#15315](https://github.com/thingsboard/thingsboard/pull/15315) Fixed CVE-2026-33870, CVE-2026-33871 and GHSA-72hv-8253-57qq by @ViacheslavKlimov
+
+* Core & Rule Engine
+  * [#15262](https://github.com/thingsboard/thingsboard/pull/15262) Sanitize database error messages by @ViacheslavKlimov
+  * [#14775](https://github.com/thingsboard/thingsboard/pull/14775) Added OTA package data cleanup by @AndriiLandiak
+  * [#14762](https://github.com/thingsboard/thingsboard/pull/14762) Fixed notification requests and RPC cleanup timeout on large datasets by @AndriiLandiak
+  * [#14781](https://github.com/thingsboard/thingsboard/pull/14781) Added WS update on telemetry deletion by @dashevchenko
+
+* UI
+  * [#15237](https://github.com/thingsboard/thingsboard/pull/15237) Updated locales da_DK, de_DE, el_GR, es_ES, fr_FR, it_IT, ja_JP, nl_NL, no_NO, pt_BR, tr_TR, uk_UA, zh_CN by @vvlladd28
+  * [#15203](https://github.com/thingsboard/thingsboard/pull/15203) Hidden "Show on widgets" button on sysadmin level by @vvlladd28
+  * [#15219](https://github.com/thingsboard/thingsboard/pull/15219) Fixed WS reconnect loop and notification spam when session limit is reached by @vvlladd28
+  * [#15168](https://github.com/thingsboard/thingsboard/pull/15168) Fixed resetting of validation on storeLink property by @mtsymbarov-del
+  * [#15292](https://github.com/thingsboard/thingsboard/pull/15292) Fixed proxy error handling for 502/503/504 HTTP status codes by @vvlladd28
+  * [#15273](https://github.com/thingsboard/thingsboard/pull/15273) Fixed string-items-list autocomplete selection and blur handling by @vvlladd28
+
+* Edge
+  * [#15205](https://github.com/thingsboard/thingsboard/pull/15205) Support combined PEM cert+key for Edge gRPC SSL by @smatvienko-tb
+
+* Transport
+  * [#15143](https://github.com/thingsboard/thingsboard/pull/15143) Fixed LwM2M Redis stores startup: use separate connections for SCAN and GET by @smatvienko-tb
+
+**Full Changelog**: [https://github.com/thingsboard/thingsboard/compare/v4.2.2...v4.2.2.1](https://github.com/thingsboard/thingsboard/compare/v4.2.2...v4.2.2.1)

_includes/docs/releases/releases-table/v4-3-1-1.md

@@ -0,0 +1,39 @@
+### ThingsBoard CE v4.3.1.1 (Mar 31, 2026)
+
+**What's Changed**
+
+* Security
+  * [#15204](https://github.com/thingsboard/thingsboard/pull/15204) Fixed XSS vulnerability in notification center by @vvlladd28
+  * [#15244](https://github.com/thingsboard/thingsboard/pull/15244) Fixed CVE-2026-24308, CVE-2026-24281 and CVE-2026-24400 by @ViacheslavKlimov
+  * [#15254](https://github.com/thingsboard/thingsboard/pull/15254) Added configurable security headers and env-var-backed CORS configuration by @ViacheslavKlimov
+  * [#15253](https://github.com/thingsboard/thingsboard/pull/15253) Fixed SSRF DNS rebinding bypass, added allow-list by @ViacheslavKlimov
+  * [#15251](https://github.com/thingsboard/thingsboard/pull/15251) Fixed CVE-2026-24281, CVE-2026-24308, CVE-2026-24400, CVE-2026-29063, CVE-2026-29087, CVE-2026-29786, CVE-2026-30827, CVE-2026-31802, CVE-2026-32141, CVE-2026-32635, CVE-2026-27904 by @vvlladd28
+  * [#15278](https://github.com/thingsboard/thingsboard/pull/15278) Fixed CVE-2026-22731, CVE-2026-22732, CVE-2026-22733, CVE-2026-22737 + Spring Boot 3.5 by @ViacheslavKlimov
+  * [#15293](https://github.com/thingsboard/thingsboard/pull/15293) Fixed CVE-2026-33228 by @vvlladd28
+  * [#15315](https://github.com/thingsboard/thingsboard/pull/15315) Fixed CVE-2026-33870, CVE-2026-33871 and GHSA-72hv-8253-57qq by @ViacheslavKlimov
+  * Fixed CVE-2026-0861, CVE-2026-0915, CVE-2025-15281 for Docker images by @ViacheslavKlimov
+
+* Core & Rule Engine
+  * [#15262](https://github.com/thingsboard/thingsboard/pull/15262) Sanitize database error messages by @ViacheslavKlimov
+  * [#14775](https://github.com/thingsboard/thingsboard/pull/14775) Added OTA package data cleanup by @AndriiLandiak
+  * [#14762](https://github.com/thingsboard/thingsboard/pull/14762) Fixed notification requests and RPC cleanup timeout on large datasets by @AndriiLandiak
+  * [#14781](https://github.com/thingsboard/thingsboard/pull/14781) Added WS update on telemetry deletion by @dashevchenko
+
+* UI
+  * [#15237](https://github.com/thingsboard/thingsboard/pull/15237) Updated locales da_DK, de_DE, el_GR, es_ES, fr_FR, it_IT, ja_JP, nl_NL, no_NO, pt_BR, tr_TR, uk_UA, zh_CN by @vvlladd28
+  * [#15203](https://github.com/thingsboard/thingsboard/pull/15203) Hidden "Show on widgets" button on sysadmin level by @vvlladd28
+  * [#15219](https://github.com/thingsboard/thingsboard/pull/15219) Fixed WS reconnect loop and notification spam when session limit is reached by @vvlladd28
+  * [#15252](https://github.com/thingsboard/thingsboard/pull/15252) Fixed missing translation for Polylines toggle in map settings by @vvlladd28
+  * [#15168](https://github.com/thingsboard/thingsboard/pull/15168) Fixed resetting of validation on storeLink property by @mtsymbarov-del
+  * [#15267](https://github.com/thingsboard/thingsboard/pull/15267) Fixed time series table widgets tab style by @mtsymbarov-del
+  * [#15292](https://github.com/thingsboard/thingsboard/pull/15292) Fixed proxy error handling for 502/503/504 HTTP status codes by @vvlladd28
+  * [#15273](https://github.com/thingsboard/thingsboard/pull/15273) Fixed string-items-list autocomplete selection and blur handling by @vvlladd28
+
+* Edge
+  * [#15205](https://github.com/thingsboard/thingsboard/pull/15205) Support combined PEM cert+key for Edge gRPC SSL by @smatvienko-tb
+
+* Transport
+  * [#15112](https://github.com/thingsboard/thingsboard/pull/15112) MQTTS metrics and client address logging on exceptionCaught by @smatvienko-tb
+  * [#15143](https://github.com/thingsboard/thingsboard/pull/15143) Fixed LwM2M Redis stores startup: use separate connections for SCAN and GET by @smatvienko-tb
+
+**Full Changelog**: [https://github.com/thingsboard/thingsboard/compare/v4.3.1...v4.3.1.1](https://github.com/thingsboard/thingsboard/compare/v4.3.1...v4.3.1.1)

_includes/templates/install/upgrade-version-warning.md

@@ -4,9 +4,10 @@ This version has known security vulnerabilities that are fixed in newer releases
 {% endcapture %}
 {% include templates/warn-banner.md content=vuln_warning %}
 {% endif %}
-{% if include.version == "4.3.1" or include.version == "4.2.2" %}
+{% assign _vp = include.version | split: "." %}{% assign _vmaj = _vp[0] | plus: 0 %}{% assign _vmin = _vp[1] | plus: 0 %}{% assign _vpat = _vp[2] | plus: 0 %}
+{% if _vmaj == 4 and _vmin == 3 and _vpat >= 1 or _vmaj == 4 and _vmin == 2 and _vpat >= 2 %}
 {% capture angular_warning %}
-This release includes a framework upgrade (Angular 18 → 20). The core platform remains fully backward compatible and no upgrade scripts are required. However, **custom UI code** (widgets or custom CSS) that relies on internal component structure or CSS variable names **may break**. This can affect up to ~1% of users with heavy customizations. We recommend testing custom UI in a staging environment before upgrading.
+Starting with version {{ _vp[0] }}.{{ _vp[1] }}.{% if _vmin == 3 %}1{% elsif _vmin == 2 %}2{% endif %}, the platform uses Angular 20 (upgraded from Angular 18). The core platform remains fully backward compatible and no upgrade scripts are required. However, **custom UI code** (widgets or custom CSS) that relies on internal component structure or CSS variable names **may break**. This can affect up to ~1% of users with heavy customizations. We recommend testing custom UI in a staging environment before upgrading.
 {% endcapture %}
 {% include templates/warn-banner.md content=angular_warning %}
 {% endif %}

_includes/templates/iot-gateway/request-connector-basic-security-config.md

@@ -18,3 +18,17 @@ Security section in configuration file will look like this:
       "password": "password"
     }
 ```
+
+Since ThingsBoard IoT Gateway version 3.8.3, environment variables can be specified for username and password fields. 
+This allows you to avoid hardcoding sensitive information in the configuration file and provide it securely at runtime.
+
+To use ENV variables for username and password, you can set them in your environment or define them in 
+your `docker-compose.yml` file.
+
+The following ENV variables are used for Basic authentication configuration:
+
+- `REQUEST_BASIC_USERNAME`
+- `REQUEST_BASIC_PASSWORD`
+
+Make attention that if you specify ENV variables for username and password, the values from the configuration file 
+will be ignored, and the connector will use the values from the ENV variables instead.