Skip to content

cms

v5.73.23 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 12d API Development
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

api-rest cms composer-package content-management-system flat-file-cms flatfile
+12 more
flatfilecms graphql headless jamstack laravel laravel-cms laravel-package php php8 ssg statamic vuejs

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal
editorial:auto 11d

Release v5.73.23 fixes a token path traversal vulnerability and adds several other bugfixes.

Why it matters: The release patches the token path traversal security flaw (severity 50) that could allow unauthorized access; operators should upgrade immediately to mitigate risk.

Summary

AI summary

Fixed token path traversal vulnerability.

Changes in this release

Security Medium

Hardens `DataCollection` sort value resolution to prevent misuse.

Hardens `DataCollection` sort value resolution to prevent misuse.

Source: llm_adapter@2026-05-23

Confidence: low
Bugfix Medium

Authorizes access to relationship fieldtype data.

Authorizes access to relationship fieldtype data.

Source: llm_adapter@2026-05-23

Confidence: high
Bugfix Medium

Fixes token path traversal vulnerability.

Fixes token path traversal vulnerability.

Source: llm_adapter@2026-05-23

Confidence: low
Bugfix Medium

Fixes asset fieldtype icon display issue.

Fixes asset fieldtype icon display issue.

Source: llm_adapter@2026-05-23

Confidence: low
Full changelog

What's fixed

  • Harden DataCollection sort value resolution #14693 by @duncanmcclean
  • Fix token path traversal #14700 by @duncanmcclean
  • Authorize relationship fieldtype data #14718 by @jasonvarga
  • Fix asset fieldtype icon #14720 by @jasonvarga

Security Fixes

  • Fix token path traversal — prevents directory traversal attacks via tokens [#14700]
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cms

Get notified when new releases ship.

Sign up free

About cms

The core Laravel CMS Composer package

All releases →

Related context

Beta — feedback welcome: [email protected]