diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4de66ec7d..fec4e9ed8e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,62 @@
+#### v4.6.2 (2025-11-19)
+
+##### Chores
+
+*  up emoji (5bc5bb3d)
+*  up peace, closes #13774 (f764b791)
+*  incrementing version number - v4.6.1 (f47aa678)
+*  update changelog for v4.6.1 (655c858b)
+*  incrementing version number - v4.6.0 (ee395bc5)
+*  incrementing version number - v4.5.2 (ad2da639)
+*  incrementing version number - v4.5.1 (69f4b61f)
+*  incrementing version number - v4.5.0 (f05c5d06)
+*  incrementing version number - v4.4.6 (074043ad)
+*  incrementing version number - v4.4.5 (6f106923)
+*  incrementing version number - v4.4.4 (d323af44)
+*  incrementing version number - v4.4.3 (d354c2eb)
+*  incrementing version number - v4.4.2 (55c510ae)
+*  incrementing version number - v4.4.1 (5ae79b4e)
+*  incrementing version number - v4.4.0 (0a75eee3)
+*  incrementing version number - v4.3.2 (b92b5d80)
+*  incrementing version number - v4.3.1 (308e6b9f)
+*  incrementing version number - v4.3.0 (bff291db)
+*  incrementing version number - v4.2.2 (17fecc24)
+*  incrementing version number - v4.2.1 (852a270c)
+*  incrementing version number - v4.2.0 (87581958)
+*  incrementing version number - v4.1.1 (b2afbb16)
+*  incrementing version number - v4.1.0 (36c80850)
+*  incrementing version number - v4.0.6 (4a52fb2e)
+*  incrementing version number - v4.0.5 (1792a62b)
+*  incrementing version number - v4.0.4 (b1125cce)
+*  incrementing version number - v4.0.3 (2b65c735)
+*  incrementing version number - v4.0.2 (73fe5fcf)
+*  incrementing version number - v4.0.1 (a461b758)
+*  incrementing version number - v4.0.0 (c1eaee45)
+
+##### Bug Fixes
+
+*  #13779, svg uploads (e3002411)
+*  #13776, if plugin is in install/package.json use latest version from there (abfb6d13)
+*  category labels showing up on infinite scroll on category page (dece0628)
+*  crash in resolveInboxes (9900171f)
+*  log out user if session cookie resolves to non-existent uid (5d9da603)
+*  make i18n test failure message easier to read (3a81f903)
+*  wrong auto-categorization if group actor is explicitly included in `audience` (be4d0e81)
+*  order of operations when updating category handle (5cfec5b1)
+*  closes #13729, fix filename encoding (9410f466)
+
+##### Other Changes
+
+*  fix lint (008e1ae4)
+
+##### Refactors
+
+*  remove unused share (aacd27ee)
+
+##### Tests
+
+*  add test for #13729 (430a3e81)
+
 #### v4.6.1 (2025-10-17)
 
 ##### Chores
diff --git a/install/package.json b/install/package.json
index 379b007c2d..4c1a6df2eb 100644
--- a/install/package.json
+++ b/install/package.json
@@ -148,7 +148,7 @@
         "toobusy-js": "0.5.1",
         "tough-cookie": "6.0.0",
         "undici": "^7.10.0",
-        "validator": "13.15.15",
+        "validator": "13.15.23",
         "webpack": "5.102.0",
         "webpack-merge": "6.0.1",
         "winston": "3.17.0",
diff --git a/public/src/client/infinitescroll.js b/public/src/client/infinitescroll.js
index eaf3e97720..6c3819245c 100644
--- a/public/src/client/infinitescroll.js
+++ b/public/src/client/infinitescroll.js
@@ -21,7 +21,7 @@ define('forum/infinitescroll', ['hooks', 'alerts', 'api'], function (hooks, aler
 		previousScrollTop = $(window).scrollTop();
 		$(window).off('scroll', startScrollTimeout).on('scroll', startScrollTimeout);
 		if ($body.height() <= $(window).height() && (
-			!ajaxify.data.hasOwnProperty('pageCount') || ajaxify.data.pageCount > 1
+			ajaxify.data.pagination || ajaxify.data.pagination.pageCount > 1
 		)) {
 			callback(1);
 		}
diff --git a/src/activitypub/mocks.js b/src/activitypub/mocks.js
index 81db4b7a01..0dce187268 100644
--- a/src/activitypub/mocks.js
+++ b/src/activitypub/mocks.js
@@ -845,6 +845,13 @@ Mocks.notes.private = async ({ messageObj }) => {
 	const published = messageObj.timestampISO;
 	const updated = messageObj.edited ? messageObj.editedISO : undefined;
 
+	const content = await messaging.getMessageField(messageObj.mid, 'content');
+	messageObj.content = content; // re-send raw content into parsePost
+	const parsed = await posts.parsePost(messageObj, 'activitypub.note');
+	messageObj.content = sanitize(parsed.content, sanitizeConfig);
+	messageObj.content = posts.relativeToAbsolute(messageObj.content, posts.urlRegex);
+	messageObj.content = posts.relativeToAbsolute(messageObj.content, posts.imgRegex);
+
 	let source;
 	const markdownEnabled = await plugins.isActive('nodebb-plugin-markdown');
 	if (markdownEnabled) {
diff --git a/test/user/custom-fields.js b/test/user/custom-fields.js
index df4feb2432..8a637f49a2 100644
--- a/test/user/custom-fields.js
+++ b/test/user/custom-fields.js
@@ -88,6 +88,14 @@ describe('custom user fields', () => {
 			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
 		);
 
+		await assert.rejects(
+			user.updateProfile(highRepUid, {
+				uid: highRepUid,
+				website: 'javascript:alert("xss")',
+			}),
+			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
+		);
+
 		await assert.rejects(
 			user.updateProfile(highRepUid, {
 				uid: highRepUid,