cms

v6.20.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 12d API Development

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

api-rest cms composer-package content-management-system flat-file-cms flatfile

+12 more

flatfilecms graphql headless jamstack laravel laravel-cms laravel-package php php8 ssg statamic vuejs

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 11d

Statamic CMS v6.20.0 adds a today shortcut to the date picker and prompts for a license key when enabling Pro features.

Why it matters: The new "today" shortcut in the Date picker UI streamlines data entry; prompting for a license key during Pro activation enforces entitlement checks.

Summary

AI summary

Updates What's fixed, What's new, and https://github.com/statamic/cms/issues/14651 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Authorizes relationship fieldtype data access. Authorizes relationship fieldtype data access. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Fixes token path traversal vulnerability. Fixes token path traversal vulnerability. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature
Feature	Medium	Adds today shortcut to date picker. Adds today shortcut to date picker. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Prompts for license key when enabling Pro. Prompts for license key when enabling Pro. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Includes `is_pdf` flag in augmented asset data. Includes `is_pdf` flag in augmented asset data. Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Enables "Add Row" configuration for List fields. Enables "Add Row" configuration for List fields. Source: llm_adapter@2026-05-23 Confidence: low	—
Dependency	Medium	Bumps shivammathur/setup-php from 2.37.0 to 2.37.1 in GitHub Actions. Bumps shivammathur/setup-php from 2.37.0 to 2.37.1 in GitHub Actions. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix
Bugfix	Medium	Hardens `DataCollection` sort value resolution logic. Hardens `DataCollection` sort value resolution logic. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Improves accuracy of active navigation anchor positioning. Improves accuracy of active navigation anchor positioning. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Suppresses unsaved changes warning when switching tabs. Suppresses unsaved changes warning when switching tabs. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Enhances collapsible section behavior. Enhances collapsible section behavior. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Swaps image dimensions when EXIF indicates 90° rotation. Swaps image dimensions when EXIF indicates 90° rotation. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Adjusts Relationship UI layout and behavior. Adjusts Relationship UI layout and behavior. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Updates Italian translations. Updates Italian translations. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Adds French translations. Adds French translations. Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

What's new

Date picker today shortcut #14651 by @jaygeorge
When enabling Pro, prompts for license key #14686 by @jackmcdade
Include is_pdf in augmented asset data #14699 by @jacksleight

What's fixed

Make active nav anchor position more accurate #14675 by @jaygeorge
Don't show unsaved changes warning when switching tabs #14678 by @jasonvarga
Better collapsible sections #14679 by @jaygeorge
Swap image dimensions when EXIF orientation indicates a 90° rotation #14685 by @jasonvarga
Hook up "Add Row" config for List fields #14689 by @jackmcdade
Harden DataCollection sort value resolution #14693 by @duncanmcclean
Fix token path traversal #14700 by @duncanmcclean
Authorize relationship fieldtype data #14718 by @jasonvarga
Relationship UI adjustments #14719 by @jasonvarga
Update Italian translations #14683 by @sbellesis
French translations #14680 by @ebeauchamps
Bump shivammathur/setup-php from 2.37.0 to 2.37.1 in the github-actions group #14682 by @dependabot

Security Fixes

Fix token path traversal vulnerability (Issue #14700)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cms

Get notified when new releases ship.

About cms

The core Laravel CMS Composer package

All releases →

cms