@element-hq/element-call-embedded: analytics leak of URL fragments (CVE-like)

Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, including full URLs with fragments (e.g., encryption passwords) in fields like $initial_person_info, $session_entry_url, and $current_url. Fixed in 0.19.4.

Users of standalone Element Call SPA instances (e.g., call.element.io) with PostHog analytics enabled; embedded package users are not practically affected.

Upgrade to Element Call 0.19.4 or later. If upgrade is not possible, disable PostHog analytics by removing the 'posthog' key from config.json or opt out in settings and create new call links.