File: //var/softaculous/conc8/changelog.txt
9.5.0 Release Notes
New Features
Added support for the Twig templating languages in block views, page templates, single pages and more.
Behavioral Improvements
We now give user’s notice if their updates are locally available (which they should be, for example, if composer is being used to manage the Concrete CMS upgrade process.) We will also no longer let admins use the updater if this setting is set to true (thanks mlocati)
Hero Image block now reports its height setting on immediate change of the slider (Thanks mehl)
If a site is configured to store their logs in files (instead of the database), the logs Dashboard page now informs administrators. (thanks ounziw)
ccm_paging_p page parameter is now no longer included in the canonical URL specified by the Search block (Thanks ccmEnlil)
You can now control whether the Page List block’s pagination parameter is added to the page’s canonical URL via a block setting (thanks ccmEnlil)
More core blocks are cached in more situations (thanks hissy)
Return errors in JSON format when the expected response should be in JSON in more cases (thanks mlocati)
Fix errors about undefined logger when using a custom EntryManager in Express.
If you access an /account/* protected page and are directed to login, you will be redirected back to the appropriate page on successful login completion.
Bug Fixes
Fixed bug where page type defaults were not editable by anyone but the super user even if other groups were added to the “Access Page Type Defaults” permission.
Fixed inability to select a new image or file when using the Concrete File Input component if that file had been deleted (thanks mlocati, danklassen)
Fixed bug where, if an Express form block was configured to upload files to a specific folder, and that folder was deleted, an error was thrown (thanks dimger)
Fixed bug where a file might appear in the Dashboard search results multiple times if it had a special character like an ampersand in it (thanks straatrakker)
Fixed log notice about polls feature not being available when rendering core blocks that use the polls feature (thanks biplobice)
Fixed bug where a site that used multi-site and had a site name with a special character in it would result in a broken multisite selector in the Dashboard (thanks patej)
Fixed typos and strings that could not be translated in the Concrete interface (thanks wtflm)
Fixed bug where attributes like Tags would not be properly displayed in the Document Library results table (thanks JohnTheFish)
Fixed: ability to activate page templates in a theme was missing in our Dashboard Page themes since the shift to the new Configure page.
Fixed erroneous description in the Tags block (thanks JohnTheFish)
Fix error that could happen when a global area is rendered on a site but there is no approved version of the global area (thanks biplobice)
Fixed error when searching by user group in some situations (thanks TMDesigns)
Added additional permission check to add file to folder endpoint (thanks JohnTheFish)
Fixed: CalendarEventVersion Entity missing getJSONObject method
Fixed: When “All Day” is checked during calendar event creation, end date becomes 1970 if submitted without changing the date
Fixed issue where 8.x sites that used the style customizer could have some styles lost upon upgrading to 9.x (thanks kaktuspalme)
Fix: Workflow Request message may includes empty page name
Developer Updates
Concrete CMS now supports PHP 8.5.
Concrete’s email functionality now depends on Symfony/Mailer instead of Laminas/Email. All simple use cases should be covered with no backward compatibility concerns.
Mail importing functionality has been removed from Concrete CMS. This functionality is not used by the core and is unlikely to be used by many third party packages. If this affects you, please get in touch.
Updated all PHP dependencies where possible.
Replaces anahkiasen/html-object with the updated (but still old) kylekatarnls/html-object, which adds some new methods and is better supported (fully backward compatible)
Added more granular controls to block controllers to determine their caching behaviors (including btCacheBlockOutputOnEditMode) (thanks hissy)
ConcreteFileManager.getFileDetails in JS now returns null if the file cannot be found. Some blocks that use custom JS may need to be updated to handle this (thanks mlocati)
We now show MySQL max_connections in environment details (thanks mlocati)
Built-in Concrete console commands for php cs fixer will now route to an external version of the library for greater control (thanks mlocati)
Added support for a new rcURL query string parameter that can be passed to /login/redirect which will allow users to be redirected to a specific URL after login. Uses an allowlist for security.
Backward Compatibility Notes
When dragging blocks out of a stack or from the clipboard panel into the page, we used to create pointer to the original block, in order to save space and potentially make the block “updateable”. This was not ideal, and would lead to some weird edge cases where deleted versions of completely unrelated pages might change the contents of pages that had copied content from the original page. Instead, we now always create a copy when copying out of the clipboard or a stack. If you’d like to maintain a pointer to the original content and update content of a block on a separate schedule from the page, drag the entire stack into the page, and keep the stack updated separately.
9.4.8 Release Notes
Behavioral Improvements
Improved performance on sites with large amounts of permission assignments.
Security Updates
All security fixes below are for Concrete CMS version 9 only. There will be no fixes for version 8.
Fixed CVE-2026-3452 by making columns and filterFields starts from empty with commit 1286. Prior to the fix, an authenticated administrator could store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks making Concrete CMS vulnerable to remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK of ZUSO ART for reporting H1 3549050.
Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a stored cross-site scripting (XSS) vulnerability existed in the search block where page names and content were rendered without proper HTML encoding in search results. Authenticated administrators were able to inject malicious JavaScript through page names which executed when users searched for and viewed those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting HackerOne 3542571.
Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent administrators from being able to add stored XSS via the Switch Language block.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting HackerOne 3451125
Fixed CVE-2026-3241 with commit 12826 for H1 3456482 to prevent administrators from being able to add cross-site scripting (XSS) into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box) in the "Legacy Form" block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting H1 3456482.
Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor from being able to use the Question field in the element Legacy form from being able to inject stored XSS. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for reporting H1 3451114.
Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF token is checked before changes to the group_id parameter are saved when using the Anti-Spam Allowlist Group Configuration. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting H1 3437650.
9.4.7 Release Notes
Behavioral Improvements
YouTube block view now contains iframe code to help YouTube render better under certain stricter web server settings (thanks MarcoKuoni)
We now define operation IDs for API endpoints (thanks hissy)
On the Dashboard > Database Entities page we now show entities that are defined using PHP attributes (not just entities) (thanks mlocati)
Bug Fixes
Fixed: Conversations file attachment icons and file attachment area are not formatted properly.
Fixed: conversation loader shows properly.
Fixed: The close “X” of Workflow pop-up only has Atomik css & doesn’t show up in other theme
Fixed: Subscribe to Conversation "X" button does Unsubscribe/Subscribe button action
Fixed incorrect edit profile validation on username.
Fixed inability to rename a form block’s name through the block editing dialog once it has been added to the page.
Fixed bug when regional jQuery UI languages did not load in time (thanks mlocati)
Developer Updates
Updated dependencies to their latest minor versions.
Security Updates
Patched Symfony Foundation libraries to resolve this security issue: https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Updated enshrined/svg-sanitized, which improves security scanning of SVG files (see https://www.cve.org/CVERecord?id=CVE-2025-55166).