Redmine 4.1.1 and 4.0.7 released
Security: these 2 releases include several security fixes, including a fix for a persistent XSS vulnerability in Textile formatting, so upgrading as soon as possible is recommanded.
You can get more details in Security Advisories.
Many thanks to Nakayama Daisuke, Maik Stegemann and Mizuki Ishikawa for reporting these issues to the Redmine security team!
Please note that Redmine 3.x has reached end of life, is not supported any longer and is (as well) vulnerable to these security issues. You should upgrade to Redmine 4 to get security updates.