Today, we are releasing Omeka 2.2.1, a security update for Omeka 2.2. All users should upgrade.
An unrelated fix to the API removes dead links to private collections for non-authenticated users.
Thanks to Gjoko Krstic at the Zero Science Lab for finding and reporting the XSS and CSRF vulnerabilities.
Please see the release notes for more detail.