📖 Wie erstelle ich einen Webhook? (Anleitung anzeigen)
https://discord.com/api/webhooks/ID/TOKEN. Diese URL unten einfügen.⚙️ How Mediastarr worksWie Mediastarr funktioniert
Mediastarr runs a search cycle on a configurable schedule. Each cycle it fetches missing and cut-off content from all enabled Sonarr and Radarr instances, applies filters, selects items randomly for even coverage, and sends the search command to the arr API.
Cycle flow
- Ping all instances — offline instances are marked and skipped
- Purge expired cooldown — items older than
cooldown_daysbecome searchable again - Hunt each instance — missing first, then upgrades, up to
max_searches_per_runper instance - Wait — configured interval ± jitter before the next cycle
- Maintenance windows — search pauses silently during configured windows (re-checks every 60s)
Filters (applied per item)
- Upcoming — unaired episodes and unreleased movies are always skipped automatically
- IMDb rating — global threshold or per-service override (0 = off)
- Target resolution — upgrades skipped if current quality already meets the target
- Cooldown — items searched within
cooldown_daysare skipped - Daily limit — global and per-instance; search stops when either is reached
Mediastarr läuft nach einem konfigurierbaren Zeitplan. Jeder Zyklus holt fehlende und qualitativ unzureichende Inhalte von allen aktiven Instanzen, wendet Filter an und sendet den Suchbefehl an die Arr-API.
Ablauf eines Zyklus
- Alle Instanzen anpingen — Offline-Instanzen werden markiert und übersprungen
- Cooldown bereinigen — Items älter als
cooldown_dayswerden wieder suchbar - Jede Instanz durchsuchen — Fehlend dann Upgrades, max.
max_searches_per_run - Warten — Konfiguriertes Intervall ± Jitter
- Wartungsfenster — Suche pausiert still während konfigurierter Zeitfenster
Filter pro Item
- Upcoming — nicht ausgestrahlte/unveröffentlichte Inhalte werden immer übersprungen
- IMDb-Bewertung — global oder pro Service (0 = aus)
- Zielauflösung — Upgrades übersprungen wenn Ziel bereits erreicht
- Cooldown — kürzlich gesuchte Items werden übersprungen
- Tageslimit — global und pro Instanz
🗺️ Milestones & RoadmapMeilensteine & Roadmap
Completed milestones
- ✅ v1.0 — First working Sonarr search automation
- ✅ v2.0 — Radarr support, multi-instance, cooldown system
- ✅ v3.0 — Discord notifications with rich embeds
- ✅ v4.0 — SQLite history, daily limits, random selection
- ✅ v5.0 — First-run wizard, IMDb filter, quality target, jitter
- ✅ v6.0 — Full UI redesign, 4 themes, German/English, CSRF protection
- ✅ v6.4.0 — Statistics page, Charts (instance, year, donut, timeline)
- ✅ v6.4.1 — Per-instance daily limits, config export/import, public API mode
- ✅ v6.4.2 — Sonarr/Radarr stats filter tabs, live console page
- ✅ v6.4.3 — Skip upcoming/unreleased content, configurable log rotation
- ✅ v6.4.4 — Maintenance windows, rich series embeds, Discord embed fixes
- ✅ v6.4.5 — Central VERSION file, Huntarr comparison text, homepage badge
- ✅ v6.4.6 — Console dual-output fix, startup version fix, per-instance upgrade toggle, improved logging, mobile language selector, help page redesign, stats layout fix
- ✅ v7.1.12 — Subpfad-Routing-Fix: PrefixMiddleware ersetzt ProxyFix, API-Fehler auf Englisch (#54 Nachfolge)
- ✅ v7.1.11 — Subpfad/Base-URL-Support (
MEDIASTARR_BASE_URL, schließt #54) - ✅ v7.1.10 — History: expandable rows, Deep-link Sonarr/Radarr, search duration, status icons; Jitter up to 24h
- ✅ v7.1.7 — Kubernetes deployment manifests (Deployment, Service, PVC, Ingress, kustomize)
- ✅ v7.1.6 — Bug #52 (dashboard mixed language: Tageslimit/Verlauf), font readability (Inter), Codex handover
- ✅ v7.1.5 — FAQ page (DE+EN, accordion, 11 Q&As, language-aware)
- ✅ v7.1.4 — Bug #51 (EN translation), dashboard stats freeze, CodeQL #12+#13, tooltips
- ✅ v7.1.3 — Bug #50 (webhook URL vanishes), Bug #49 (Discord update card button misplaced)
- ✅ v7.1.2 — UI redesign (settings sections, light theme), export/import fix, dashboard update badge, Discord update toggle, sidebar update indicator
- ✅ v7.1.1 — Bug #47 Discord v6 fix, AES-256 encryption, tooltips (#48), Docker-update-safe migration
- ✅ v7.1.0 — Stalled download monitor (#46), API key censoring (#41), CodeQL security fixes #7/#8/#9
- ✅ v7.0.5 — Tag chips persist (no re-render on poll), tag filter per instance (#37), separate Discord webhooks (#38), webhook trigger endpoint, log spam fix, Chrome flag emoji fix
- ✅ v7.0.4 — Feature #36: tagging (global + per-instance), page size 500→2000
- ✅ v7.0.3 — Bug #33/#34/#35 upgrades/toggles/Discord, settings revert fix, season dedup, 10-field sync
- ✅ v7.0.2 — Skip items no longer consume slots; should_search() key fix
- ✅ v7.0.1 — EN translations, jitter in minutes, per-type global daily limits
- ✅ v7.0.0 — Structured logging system:
ms_log()/MSLog v2with configurable DEBUG/INFO/WARN/ERROR, Docker format[DATE TIME] [LEVEL] msg, Settings UI
Planned
- ⬜ Webhook endpoint to trigger a cycle from external automation
- ⬜ Push via Gotify / Apprise (alternative to Discord)
Abgeschlossene Meilensteine
- ✅ v1.0 — Erste funktionierende Sonarr-Suchautomatisierung
- ✅ v2.0 — Radarr-Unterstützung, Multi-Instanz, Cooldown-System
- ✅ v3.0 — Discord-Benachrichtigungen mit reichen Embeds
- ✅ v4.0 — SQLite-Historie, Tageslimits, zufällige Auswahl
- ✅ v5.0 — Einrichtungsassistent, IMDb-Filter, Qualitätsziel, Jitter
- ✅ v6.0 — Vollständiges UI-Redesign, 4 Themes, DE/EN, CSRF-Schutz
- ✅ v6.4.0 — Statistikseite, Charts (Instanz, Jahr, Donut, Timeline)
- ✅ v6.4.1 — Pro-Instanz Tageslimits, Config-Export/Import, öffentlicher API-Modus
- ✅ v6.4.2 — Sonarr/Radarr Statistik-Filter-Tabs, Live-Konsole
- ✅ v6.4.3 — Upcoming-Inhalte überspringen, konfigurierbares Log-Rotation
- ✅ v6.4.4 — Wartungsfenster, reiche Serien-Embeds, Discord-Embed-Fixes
- ✅ v6.4.5 — Zentrale VERSION-Datei, Huntarr-Vergleichstext, Homepage-Badge
- ✅ v6.4.6 — Console-Dual-Output-Fix, Startup-Version-Fix, Upgrades pro Instanz, verbessertes Logging, Mobile Sprachauswahl, Hilfe-Seiten-Redesign, Statistik-Layout-Fix
- ✅ v7.1.12 — Subpfad-Routing-Fix: PrefixMiddleware ersetzt ProxyFix, API-Fehler auf Englisch (#54 Nachfolge)
- ✅ v7.1.11 — Subpfad/Base-URL-Support (
MEDIASTARR_BASE_URL, schließt #54) - ✅ v7.1.10 — Lidarr-Tab leer (display:none-Fix + renderSettingsInstances), README Lidarr ergänzt
- ✅ v7.1.9 — Lidarr-Integration EXPERIMENTELL (fehlende Alben, Upgrades, Deep-Link, Tageslimit)
- ✅ v7.1.8 — History: aufklappbare Zeilen, Deep-Link Sonarr/Radarr, Suchdauer, Status-Icons; Jitter bis 24h
- ✅ v7.1.7 — Kubernetes-Deployment-Manifeste (Deployment, Service, PVC, Ingress, kustomize)
- ✅ v7.1.6 — Bug #52 (Dashboard Sprach-Mix: Tageslimit/Verlauf), Schriftlesbarkeit (Inter), Codex-Handover
- ✅ v7.1.5 — FAQ-Seite (DE+EN, Accordion, 11 Fragen, sprachabhängig)
- ✅ v7.1.4 — Bug #51 (EN-Übersetzung), Dashboard-Stats-Reset, CodeQL #12+#13, Tooltips
- ✅ v7.1.3 — Bug #50 (Webhook-URL verschwindet), Bug #49 (Discord-Update-Karte Button falsch)
- ✅ v7.1.2 — UI-Redesign (Settings-Sektionen, Light-Theme), Export/Import-Fix, Dashboard-Update-Badge, Discord-Update-Toggle, Sidebar-Update-Indikator
- ✅ v7.1.1 — Bug #47 Discord-v6-Fix, AES-256-Verschlüsselung, Tooltips (#48), Docker-Update-Safe-Migration
- ✅ v7.1.0 — Stalled-Download-Monitor (#46), API-Key-Zensierung (#41), CodeQL-Sicherheitsfixes #7/#8/#9
- ✅ v7.0.5 — Tag-Chips bleiben beim Poll erhalten, Tag-Filter pro Instanz (#37), separate Discord-Webhooks (#38), Webhook-Trigger, Log-Spam-Fix, Chrome Flag-Emoji-Fix
- ✅ v7.0.4 — Feature #36: Tagging (global + pro Instanz), Seitengröße 500→2000
- ✅ v7.0.3 — Bug #33/#34/#35 Upgrades/Toggles/Discord, Einstellungen-Revert-Fix, Staffel-Dedup, 10-Felder-Sync
- ✅ v7.0.2 — Übersprungene Items zählen nicht gegen Suchslots
- ✅ v7.0.1 — EN-Übersetzungen, Jitter in Minuten, globale Tageslimits pro Typ
- ✅ v7.0.0 — Strukturiertes Logging:
ms_log()/MSLog v2, konfigurierbares DEBUG/INFO/WARN/ERROR, Docker-Format[DATUM UHRZEIT] [LEVEL] Nachricht, Einstellungen-UI
Geplant
- ⬜ Webhook-Endpunkt zum Auslösen eines Zyklus von externer Automatisierung
- ⬜ Push via Gotify / Apprise (Alternative zu Discord)
🔒 Security & WarningsSicherheit & Warnhinweise
Mediastarr is designed for use inside a trusted LAN or behind a VPN / reverse proxy with TLS. Exposing port 7979 directly to the public internet — even with a password set — is strongly discouraged. API keys are stored on disk and transmitted to arr apps over plain HTTP by default.
Mediastarr ist für den Einsatz im lokalen Netzwerk oder hinter einem VPN / Reverse-Proxy mit TLS vorgesehen. Port 7979 direkt dem öffentlichen Internet auszusetzen — auch mit gesetztem Passwort — wird dringend abgeraten. API-Keys werden per HTTP übertragen.
- Password — set
MEDIASTARR_PASSWORDenv var to require login on all routes - CSRF tokens — every POST/PATCH/DELETE requires a valid token issued at login
- Brute-force lockout — 10 failed logins → 5-minute IP block
- API keys never exposed —
/api/statealways strips allapi_keyfields - Config permissions —
config.jsonis chmod 0600 on every save - SSRF protection — instance URLs are validated against private IP ranges before any request
- Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP on all responses
- Public API mode —
/api/statecan optionally be read-only public for external tools; API keys still never included
- Passwort —
MEDIASTARR_PASSWORDEnv-Variable setzen - CSRF-Tokens — jeder POST/PATCH/DELETE braucht einen gültigen Token
- Brute-Force-Sperre — 10 fehlgeschlagene Logins → 5 Min. IP-Sperre
- API-Keys nie exponiert —
/api/stateentfernt immer alleapi_key-Felder - Config-Berechtigungen —
config.jsonwird bei jedem Speichern auf chmod 0600 gesetzt - SSRF-Schutz — Instanz-URLs werden vor jedem Request auf private IP-Bereiche geprüft
- Sicherheits-Header — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP
- Öffentlicher API-Modus —
/api/statekann optional read-only öffentlich sein; API-Keys nie enthalten
📡 API Reference
All endpoints require authentication unless Public API mode is enabled for GET /api/state. Write requests require the X-CSRF-Token header (automatically added by the dashboard).Alle Endpunkte erfordern Auth. Schreibende Requests brauchen den X-CSRF-Token-Header.
/api/stateFull dashboard state — instances, stats, config, activity log, maintenance statusGesamtstatus — Instanzen, Stats, Config, Aktivitätslog/api/control{"action":"start"|"stop"|"run_now"}/api/configUpdate settings — only keys present in body are changedEinstellungen aktualisieren (Teilupdate)/api/config/exportDownload full config as timestamped JSON (includes API keys — keep safe)Gesamte Config herunterladen/api/config/importUpload JSON backup (multipart/form-data, max 512 KB)JSON-Backup hochladen (max. 512 KB)/api/instancesList instances (API keys redacted)Instanzen auflisten/api/instances{"name","type":"sonarr|radarr","url","api_key"}/api/instances/<id>Update instance fields (partial)Instanz aktualisieren/api/instances/<id>Delete instanceInstanz löschen/api/instances/<id>/pingTest connection — returns versionVerbindung testen/api/historySearch history. Params: service=ID, cooldown_only=1Suchverlauf. Params: service, cooldown_only/api/history/statsAggregated stats: total, today, by_service, by_yearAggregierte Statistiken/api/history/clearClear all search historyGesamten Verlauf löschen/api/history/clear/<id>Clear history for one instanceVerlauf einer Instanz löschen/api/log/rotateTrigger log rotation — returns current + backup file sizesLog-Rotation auslösen/api/log/statusLog file sizes and rotation configLog-Dateigrößen und Rotation-Config/api/discord/testSend test Discord notificationTest-Discord-Benachrichtigung/api/discord/statsSend statistics report to Discord immediatelyStatistikbericht sofort senden/api/timezonesAll IANA timezonesAlle IANA-Zeitzonen
📋 Changelog
v7.1.12 — 2026-04-05
- Changed — Settings redesign: tabs now use named sections with icon badges; form labels readable (no all-caps); inputs taller with focus ring; light theme sidebar/topbar white background fixed
- Add — Dashboard update badge; sidebar version indicator; Discord "Update available" card with
notify_updatetoggle;/api/statenow includesversionfield - Fix —
exportConfig()missing;importConfig()missingasync+ CSRF header; cards blank due to_CURRENT_VERSIONJS reference; Discord update toggle not persisting; update preview dummy versions; demo link removed from sidebar
v7.1.1 — 2026-04-01
- Fix — Bug #47: Discord test showed "v6"; AES-256 encryption for API keys/webhooks (#41); tooltips for all settings fields (#48); SECURITY.md updated
v7.1.0 — 2026-04-01
- Add — Feature #46: Stalled Download Monitor — detects stuck downloads via Sonarr/Radarr queue API; configurable threshold (minutes) and action (new search / Discord warning only); global toggle + per-instance override
- Add — Feature #41: API key censoring — all 32–128 char strings masked in activity log; API keys and webhooks never returned in
/api/state - Fix — CodeQL #8/#9:
_safe_ping_msg()allowlist ensures only known-safe strings are returned from ping endpoints (no exception taint) - Fix — CodeQL #7: URL redirect validation hardened with
urlparseto fully block open redirect attacks
v7.0.5 — 2026-03-30
- Fix — Tag toggle and tag chips no longer reset every 4 seconds; instance cards are no longer re-rendered on each poll cycle — only on tab open or after save/add/delete
- Fix — Tag global toggle now correctly persists via
_tagGlobalEnabledvariable (was reading stale DOM class) - Add — Feature #37: per-instance tag filter — load tags from Sonarr/Radarr, select one or more, only matching items are searched
- Add — Feature #38: separate Discord webhooks for Sonarr and Radarr (optional, falls back to main webhook)
- Add — Webhook trigger endpoint
POST /api/webhook/triggerfor external automation - Fix — Log rotation spam (#39): only reconfigures when values actually change
- Fix — Radarr/Sonarr add form pre-filled with default name (#40)
- Fix — Flag emojis replaced with CSS badges for Chrome on Windows
- Fix — Discord tab now shows 💬 emoji
- Add — README: full API reference table (EN + DE)
v7.0.4 — 2026-03-27
- Add — Feature #36: tagging — after each search, Mediastarr adds a configurable tag to the series/movie in Sonarr/Radarr; global toggle + per-instance 3-state override (Global/On/Off)
- Fix — Page size increased 500 → 2000 for
wanted/missingandwanted/cutoff
v7.0.3 — 2026-03-26
- Fix — Bug #33: upgrade search never ran (global + per-instance toggle logic fixed)
- Fix — Bug #34: per-instance upgrade toggle not saved to config
- Fix — Bug #35: Discord toggles reverted on general settings save
- Fix — Settings reverted every 4 seconds (
_configDirtyguard added) - Fix — 10 settings fields not synced back to DOM after poll
- Fix — Season/Series mode: eliminated duplicate SeasonSearch/SeriesSearch per cycle
- Fix — Upgrades now respect the configured search mode
v7.0.2 — 2026-03-26
- Fix — Skip items no longer counted against search slots;
should_search()reason key mismatch fixed ("daily_limit"→"daily")
v7.0.1 — 2026-03-26
- Fix — Missing EN translations in Sonarr/Radarr tabs; log level dropdown; jitter changed to minutes
- Add — Per-type global daily limit (Sonarr + Radarr separately)
v7.0.0 — 2026-03-26
- Logging-System —
ms_log(level, service, action, item): schreibt in Docker-Console, Logdatei und UI-Aktivitätslog - 4 Level — DEBUG | INFO | WARN | ERROR · konfigurierbar in Einstellungen → Allgemein
- Docker-Format —
[2026-03-26 14:32:10] [INFO] [Sonarr] Missing searched: Breaking Bad S01E03 - Helfer —
ms_debug(),ms_info(),ms_warn(),ms_error() - MSLog v2 — Timestamp-Format,
MSLog.log(), Level in sessionStorage gespeichert
v6.4.6 — 2026-03-26
- Fix — Startup log showed
v6.3.8; now uses current version dynamically - Fix — Console empty in both Settings tab and standalone page; refactored to write to both outputs simultaneously
- Fix — Help page German translation broken; CSS class-based language switching
- Fix — Mobile language selector invisible; persistent fixed toggle added
- Add — Per-instance upgrade toggle (
search_upgrades, default off) - Add — Improved logging: run_now trigger, config save events
- Add — Help page redesigned as single scrollable page (no tabs)
- Add — Stats charts all full-width; All/Sonarr/Radarr filter preserved
v6.4.5 — 2026-03-26
- Add — Central
VERSIONfile — single source of truth for all components - Add — Huntarr comparison text restored in README and Help page (DE + EN)
- Fix — Homepage badge version
v6.4.4 — 2026-03-25
- Add — Scheduled maintenance windows (up to 10, overnight support, yellow banner)
- Fix — Series Discord embeds: poster, fanart, multi-source ratings
v6.4.3 — 2026-03-25
- Add — Skip upcoming / unreleased content automatically
- Add — Configurable log rotation (size + backups) in General settings
- Fix — Console feed field mapping, stats tab theme, settings full-width
v6.4.2 — 2026-03-25
- Add — Sonarr / Radarr filter tabs on Statistics page
- Add — Live Log Console page with level filter, search, auto-scroll
- Fix — History titles truncated; Discord embed missing series title
v6.4.1 — 2026-03-24
- Add — Per-instance daily limits
- Add — Config export / import as JSON
- Add — Public API mode (
/api/statewithout auth)
Earlier versions
v6.4.0 — Statistics page · v6.0 — Full UI redesign, themes, i18n, CSRF · v5.0 — Setup wizard, IMDb filter, jitter · v4.0 — SQLite history, daily limits · v3.0 — Discord embeds · v2.0 — Radarr, multi-instance · v1.0 — First release
- Add — Feature #46: Stalled-Download-Monitor — erkennt feststeckende Downloads über die Sonarr/Radarr-Queue-API; konfigurierbarer Schwellenwert und Aktion (Neue Suche / nur Discord-Warnung); globaler Toggle + pro-Instanz-Override
- Add — Feature #41: API-Key-Zensierung — alle 32–128-stelligen Strings im Aktivitätslog maskiert; API-Keys und Webhooks nie in
/api/statezurückgegeben - Fix — CodeQL #8/#9:
_safe_ping_msg()-Allowlist verhindert Taint-Flow von Exceptions in Ping-Antworten - Fix — CodeQL #7: URL-Redirect mit
urlparsegehärtet gegen Open-Redirect-Angriffe
- Fix — Tag-Toggle und Tag-Chips werden nicht mehr alle 4 Sekunden zurückgesetzt; Instanz-Karten nur noch beim Tab-Wechsel neu gerendert
- Fix — Globaler Tag-Toggle persistiert jetzt korrekt über
_tagGlobalEnabled - Add — Feature #37: Tag-Filter pro Instanz (Multi-Select aus Sonarr/Radarr-Tags)
- Add — Feature #38: Separate Discord-Webhooks für Sonarr und Radarr
- Add — Webhook-Trigger
POST /api/webhook/trigger - Fix — Log-Rotation-Spam (#39), Standard-Namen in Add-Formular (#40), Sprachschalter-Emojis
- Add — Feature #36: Tagging (global + 3-Zustands-Override pro Instanz: Global/An/Aus)
- Fix — Seitengröße 500 → 2000
- Fix — Bug #33/#34/#35: Upgrade-Suche, per-Instanz Toggle, Discord-Revert
- Fix — Einstellungen-Revert alle 4 Sekunden; 10 Felder nicht zurück ins DOM geschrieben
- Fix — Staffel/Serien-Modus: keine doppelten SeasonSearch/SeriesSearch mehr
- Fix — Übersprungene Items zählen nicht gegen Suchslots;
should_search()Key-Fehler
- Fix — Fehlende EN-Übersetzungen; Jitter auf Minuten umgestellt
- Add — Globales Tageslimit pro Typ (Sonarr/Radarr)
- Strukturiertes Logging-System: zentrales
ms_log(level, service, action, item)schreibt in Docker-Console, Logdatei UND das UI-Aktivitätslog gleichzeitig - 4 Log-Level:
DEBUG|INFO|WARN|ERROR— konfigurierbar in Einstellungen → Allgemein → Log-Level - Docker/Unraid-Console-Format:
[2026-03-26 14:32:10] [INFO] [Service] action: item - Backend-Helfer:
ms_debug(),ms_info(),ms_warn(),ms_error() - MSLog v2 (Browser): Timestamp-Format,
MSLog.log(level, ...), Level insessionStoragegespeichert - Level wird bei jedem Poll vom Server synchronisiert — eine Einstellung steuert Docker-Console und Browser
v6.4.6 — 2026-03-26
- Fix — Startup-Log zeigte
v6.3.8; jetzt dynamisch korrekt - Fix — Konsole leer in Einstellungs-Tab und standalone; schreibt nun in beide Ausgaben
- Fix — Hilfe-Seite DE-Übersetzung defekt; CSS-Klassen-basiertes Sprachsystem
- Fix — Mobile Sprachauswahl unsichtbar; persistenter fester Toggle hinzugefügt
- Add — Upgrades pro Instanz (
search_upgrades, Standard: aus) - Add — Verbessertes Logging: Run-now-Trigger, Config-Speichern-Ereignisse
- Add — Hilfe-Seite als einzelne scrollbare Seite neu gestaltet
- Add — Statistik-Charts alle volle Breite; Alle/Sonarr/Radarr-Filter beibehalten
v6.4.5 — 2026-03-26
- Add — Zentrale
VERSION-Datei — einzige Quelle der Wahrheit - Add — Huntarr-Vergleichstext in README und Hilfe-Seite wiederhergestellt
- Fix — Homepage-Badge-Version
v6.4.4 — 2026-03-25
- Add — Wartungsfenster (bis 10, Übernacht-Unterstützung, gelbes Banner)
- Fix — Serien-Discord-Embeds: Poster, Fanart, Multi-Quellen-Bewertungen
v6.4.3 — 2026-03-25
- Add — Upcoming-/unveröffentlichte Inhalte automatisch überspringen
- Add — Konfigurierbares Log-Rotation in den Allgemeinen Einstellungen
- Fix — Konsolen-Feed-Feldnamen, Statistik-Tab-Theme, Einstellungen volle Breite
v6.4.2 — 2026-03-25
- Add — Sonarr/Radarr-Filter-Tabs auf der Statistikseite
- Add — Live-Log-Konsole mit Level-Filter, Suche, Auto-Scroll
- Fix — Verlaufstitel abgeschnitten; Discord-Embed ohne Serientitel
v6.4.1 — 2026-03-24
- Add — Pro-Instanz Tageslimits
- Add — Config-Export/Import als JSON
- Add — Öffentlicher API-Modus (
/api/stateohne Auth)
Frühere Versionen
v6.4.0 — Statistikseite · v6.0 — UI-Redesign, Themes, i18n, CSRF · v5.0 — Einrichtungsassistent, IMDb-Filter · v4.0 — SQLite-Historie · v3.0 — Discord · v2.0 — Radarr, Multi-Instanz · v1.0 — Erste Version
🔓 Why not Huntarr or its forks?Warum nicht Huntarr oder seine Forks?
Independent project, built from scratch. Not affiliated with Huntarr.
In February 2026, a public security audit of Huntarr v9.4.2 uncovered 21 vulnerabilities — 7 critical, 6 high. The most severe finding: a single unauthenticated HTTP request returned every API key for every connected *arr application in cleartext. No login required. The project's GitHub repository, subreddit and Discord were taken offline shortly after.
# Anyone on your network could run this against a stock Huntarr install:
curl -X POST http://huntarr:9705/api/settings/general -H "Content-Type: application/json" -d '{"proxy_enabled": true}'
# → Full config dump: Sonarr API key, Radarr API key, Prowlarr API key — all in cleartext
What about the forks?
Community forks have appeared, but they inherit the same codebase. As the security researcher noted: "Fixing 21 specific findings doesn't fix the process that created them."
How Mediastarr is different
Mediastarr was built independently from scratch — with security as a foundation, not an afterthought:
- No unauthenticated write access — every state-changing route is protected by session auth and CSRF tokens
- API keys never in responses — stripped at the serialisation layer in
/api/state; cannot be leaked even if session auth is bypassed - Input validation everywhere —
safe_str(),validate_url(), SSRF protection on all URL inputs - Config permissions —
config.jsonchmod 0600 on every write - CSRF tokens — every POST/PATCH/DELETE requires a valid token
- Brute-force lockout — 10 failed logins → 5-minute IP block
- Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP on all responses
- Actively maintained — report issues via Discord or GitHub private advisory
The full audit findings: github.com/rfsbraz/huntarr-security-review (Feb 2026).
Unabhängiges Projekt, von Grund auf neu gebaut. Nicht mit Huntarr verbunden.
Im Februar 2026 deckte ein öffentliches Sicherheitsaudit von Huntarr v9.4.2 21 Schwachstellen — 7 kritisch, 6 hoch auf. Der gravierendste Fund: Ein einzelner unauthentifizierter HTTP-Request gab alle API-Keys aller verbundenen *arr-Anwendungen im Klartext zurück. Kein Login erforderlich. Das GitHub-Repo, der Subreddit und der Discord des Projekts wurden kurz darauf abgeschaltet.
# Jeder im Netzwerk konnte das gegen eine Standard-Huntarr-Installation ausführen:
curl -X POST http://huntarr:9705/api/settings/general -H "Content-Type: application/json" -d '{"proxy_enabled": true}'
# → Vollständiger Config-Dump: Sonarr-API-Key, Radarr-API-Key, Prowlarr-API-Key — alles im Klartext
Was ist mit den Forks?
Community-Forks sind aufgetaucht, erben aber dieselbe Codebasis. Wie der Sicherheitsforscher feststellte: „21 spezifische Findings zu beheben behebt nicht den Prozess, der sie erzeugt hat."
Warum Mediastarr anders ist
Mediastarr wurde unabhängig von Grund auf neu gebaut — mit Sicherheit als Fundament, nicht als Nachgedanke:
- Kein unauthentifizierter Schreibzugriff — jede schreibende Route ist durch Session-Auth und CSRF-Tokens gesichert
- API-Keys nie in Antworten — werden beim Serialisieren in
/api/stateentfernt; können selbst bei bypässter Session-Auth nicht geleakt werden - Eingabevalidierung überall —
safe_str(),validate_url(), SSRF-Schutz auf allen URL-Eingaben - Config-Berechtigungen —
config.jsonchmod 0600 bei jedem Schreiben - CSRF-Tokens — jeder POST/PATCH/DELETE braucht einen gültigen Token
- Brute-Force-Sperre — 10 fehlgeschlagene Logins → 5 Minuten IP-Sperre
- Sicherheits-Header — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP auf allen Antworten
- Aktiv gepflegt — Meldung via Discord oder GitHub Private Advisory
Die vollständigen Audit-Ergebnisse: github.com/rfsbraz/huntarr-security-review (Feb. 2026).
No. Mediastarr is an independent project, built from scratch — no shared codebase, no shared code history, no affiliation with Huntarr or its forks. The only common ground is the goal: automating searches in Sonarr and Radarr.
Mediastarr was written entirely new after a public audit in February 2026 found 21 vulnerabilities in Huntarr v9.4.2, including an unauthenticated endpoint returning all API keys in cleartext with a single HTTP request.
No. Mediastarr is developed by kroeberd, an independent developer with no connection to the Huntarr project or its original authors.
Yes — free and open source under the MIT license. Source code: github.com/kroeberd/mediastarr
If you find it useful, support development via Buy me a coffee ☕
Security is the core design principle, not an afterthought. Every feature was built with it in mind:
/api/state responsesEach cycle, Mediastarr runs these steps for every enabled instance:
- Ping all instances — offline instances are skipped; Discord notified on first failure
- Purge expired cooldown — items older than
cooldown_daysbecome searchable again - Fetch missing content — calls
GET /wanted/missing(up to 2,000 items) - Shuffle randomly — items randomised for even library coverage
- Apply filters — upcoming/unreleased, IMDb threshold, tag filter, cooldown, daily limits
- Send search command —
EpisodeSearch,SeasonSearch, orSeriesSearch - Record to SQLite — logged with timestamp for cooldown tracking
- Wait with jitter — interval ± random delay before next cycle
Season mode is recommended for Sonarr — one command per season instead of per episode dramatically reduces API calls on large libraries.
An upgrade search targets content you already have but at lower quality than your profile's cutoff demands. Mediastarr checks /wanted/cutoff for these items.
HDTV-720p. Profile cutoff: Bluray-1080p. Mediastarr searches for the Blu-ray version to replace it.
WEB-DL-1080p. Profile cutoff: Bluray-1080p. Mediastarr searches once the Blu-ray becomes available.
Upgrades are off per-instance by default. Enable: Settings → Sonarr/Radarr → instance card → "Search upgrades".
The cooldown prevents repeated searches for unavailable content. After searching an item, it's logged in SQLite. For the next cooldown_days (default: 7), it's skipped.
Without it, Mediastarr would hammer Sonarr/Radarr with futile searches every cycle for content that simply isn't on any indexer yet.
That's the total missing episode or movie count in your library — monitored items without a file. 175,038 just means a large monitored library.
Mediastarr searches up to max_searches_per_run items per cycle (default: 10), randomly selected, gradually working through the entire list.
Dry Run runs the full search pipeline — fetching, filtering, cooldown checks — but never sends the actual command to Sonarr or Radarr. Items are still recorded in the database.
Use it to test filter settings (IMDb, tag filter, cooldown days) without triggering real downloads.
Yes — up to 20 instances. Each can have its own:
- Daily search limit · Upgrade search toggle
- Tag filter (only items with specific tags) · Tagging (add tag after search)
- Stalled download monitor override · Separate Discord webhook