Skip to content

cms

v6.20.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d API Development
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

api-rest cms composer-package content-management-system flat-file-cms flatfile
+12 more
flatfilecms graphql headless jamstack laravel laravel-cms laravel-package php php8 ssg statamic vuejs

Affected surfaces

auth deps

Summary

AI summary

Broad release touches What's fixed, https://github.com/statamic/cms/issues/14712, https://github.com/statamic/cms/issues/14725, and https://github.com/statamic/cms/issues/14708.

Changes in this release

Security Medium

Escape formula characters in form submission CSV exports

Escape formula characters in form submission CSV exports

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Security Medium

Harden remote URL validation logic

Harden remote URL validation logic

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Feature Low

Add French translations

Add French translations

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Dependency Low

Bump qs from 6.15.0 to 6.15.2

Bump qs from 6.15.0 to 6.15.2

Source: llm_adapter@2026-06-02

Confidence: high
Dependency Low

Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 in github-actions group

Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 in github-actions group

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Dependency Low

Bump js-cookie from 3.0.5 to 3.0.7

Bump js-cookie from 3.0.5 to 3.0.7

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Dependency Low

Bump league/csv

Bump league/csv

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Performance Low

Truncate full‑measure static cache files before writing

Truncate full‑measure static cache files before writing

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Medium

Avoid crop aspect ratios select being truncated

Avoid crop aspect ratios select being truncated

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Stop excessive logging of `ElevatedSessionAuthorizationException`

Stop excessive logging of `ElevatedSessionAuthorizationException`

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Fix `Cached Pages` count for multi-site setups

Fix `Cached Pages` count for multi-site setups

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Date scrollbar fix

Date scrollbar fix

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Remove custom scrollbar from date fields

Remove custom scrollbar from date fields

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Improve modal text formatting and dark mode background

Improve modal text formatting and dark mode background

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Fix form box-shadows being clipped by expanding/collapsing sections

Fix form box-shadows being clipped by expanding/collapsing sections

Source: llm_adapter@2026-06-02

Confidence: low
Bugfix Medium

Hash URL in static caching lock key

Hash URL in static caching lock key

Source: llm_adapter@2026-06-02

Confidence: low
Bugfix Medium

Fix entry revision localizations to filter unauthorized sites

Fix entry revision localizations to filter unauthorized sites

Source: llm_adapter@2026-06-02

Confidence: low
Bugfix Low

Remove default padding `pt-4` from Group fieldtype

Remove default padding `pt-4` from Group fieldtype

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Prevent form box‑shadows from being clipped by section expansion/collapse

Prevent form box‑shadows from being clipped by section expansion/collapse

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Handle replicator handle overflow gracefully

Handle replicator handle overflow gracefully

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Mask horizontal overflow for sets more elegantly

Mask horizontal overflow for sets more elegantly

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Improve collapsible section trigger behavior

Improve collapsible section trigger behavior

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Fix asset fieldtype icon display

Fix asset fieldtype icon display

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Scope shared static cache errors to individual sites

Scope shared static cache errors to individual sites

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Fix `share_errors` breaking nocache regions on successful responses

Fix `share_errors` breaking nocache regions on successful responses

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Correct `current` augmentation handling in users fieldtype

Correct `current` augmentation handling in users fieldtype

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Fix clipboard pasting of validation rules

Fix clipboard pasting of validation rules

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Bugfix Low

Resolve Bard/Link Blink cache type collision

Resolve Bard/Link Blink cache type collision

Source: granite4.1:30b@2026-06-02-audit

Confidence: low
Full changelog

What's fixed

  • Avoid crop aspect ratios select being truncated #14712 by @duncanmcclean
  • Stop excessive logging of ElevatedSessionAuthorizationException #14725 by @joshuablum
  • Remove pt-4 as the default padding for a Group fieldtype #14708 by @martyf
  • Fix Cached Pages count for multi-site setups #14726 by @joshuablum
  • Hash URL in static caching lock key #14716 by @duncanmcclean
  • Fix entry revision localizations to filter unauthorized sites #14714 by @duncanmcclean
  • Date scrollbar fix #14730 by @jaygeorge
  • Remove custom scrollbar from date fields #14731 by @jaygeorge
  • Fix form box-shadows being clipped by expanding/collapsing sections #14736 by @jaygeorge
  • Improve modal text formatting and dark mode background #14740 by @jaygeorge
  • Handle replicator handle overflow #14746 by @jaygeorge
  • More elegantly mask horizontal overflow for sets #14753 by @jaygeorge
  • Improve collapsible section trigger #14758 by @jaygeorge
  • Fix asset fieldtype icon #14720 by @jasonvarga
  • Escape formula characters in form submission CSV exports #14760 by @jasonvarga
  • Harden remote URL validation #14761 by @jasonvarga
  • Scope shared static cache errors to sites #14763 by @joshuablum
  • Fix share_errors breaking nocache regions on successful responses #14729 by @joshuablum
  • Truncate full measure static cache files before writing #14755 by @joshuablum
  • Fix current augmentation handling in users fieldtype #14724 by @joshuablum
  • Fix clipboard pasting of validation rules #14754 by @joshuablum
  • Fix Bard/Link Blink cache type collision #14739 by @simonerd
  • French translations #14738 by @ebeauchamps
  • Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 in the github-actions group #14722 by @dependabot
  • Bump qs from 6.15.0 to 6.15.2 #14721 by @dependabot
  • Bump js-cookie from 3.0.5 to 3.0.7 #14705 by @dependabot
  • Bump league/csv #14768 by @jasonvarga

Security Fixes

  • Harden remote URL validation
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track cms

Get notified when new releases ship.

Sign up free

About cms

The core Laravel CMS Composer package

All releases →

Related context

Beta — feedback welcome: [email protected]