Backdrop CMS

v1.33.3 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 18d Dashboards & Home Pages

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cms php

ReleasePort's take

Light signal

editorial:auto 9d

Backdrop CMS 1.33.3 removes a duplicate #process callback from the password element and corrects faulty permission checks for accessing site reports.

Why it matters: Fixing the duplicate callback prevents erratic behavior in password handling; correcting the permission check blocks unauthorized access to sensitive site‑report data—critical for all deployments using these features.

Summary

AI summary

Minor fixes and improvements.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Fix incorrect permission checks for 'access site reports'. Fix incorrect permission checks for 'access site reports'. Source: llm_adapter@2026-05-21 Confidence: high	—
Feature	Medium	Add Display type into Views UI. Add Display type into Views UI. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix
Bugfix	Medium	Removed duplicate #process callback from the password element. Removed duplicate #process callback from the password element. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Fix unconstrained join in comment module update 1009. Fix unconstrained join in comment module update 1009. Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Remove 'database' from hook_user_role_() and hook_node_type_() documentation. Remove 'database' from hook_user_role_() and hook_node_type_() documentation. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Make token names wrap when very long. Make token names wrap when very long. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Added zip PHP extension not loaded warning to system update page. Added zip PHP extension not loaded warning to system update page. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Make sure markup prepended to bulk tables is valid. Make sure markup prepended to bulk tables is valid. Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

Maintenance release for Backdrop CMS. This update contains bug fixes and usability improvements only.

Notes for updating

It is not necessary to run the update script (located at /core/update.php) for this release.
No changes have been made to the .htaccess, robots.txt or default settings.php files in this release. Updating customized versions of those files is not necessary.

Changes since version 1.33.2

Bug fixes

Issue #7062: Removed duplicate #process callback from the password element.
Issue #7112: Fix unconstrained join in comment module update 1009.
Issue #5942: Remove "database" from the hook_user_role_() and hook_node_type_() documentation.
Issue #7029: Add Display type into Views UI.
Issue #6981: Make token names wrap when very long.
Issue #7130: Fix incorrect permission checks for 'access site reports'.
Issue #6953: Added zip PHP extension not loaded warning to system update page.
Issue #7127: Make sure markup prepended to bulk tables is valid.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Backdrop CMS

Get notified when new releases ship.

About Backdrop CMS

Comprehensive CMS for small to medium sized businesses and non-profits.

All releases →