Concrete 5 CMS releases

New Features

• Added support for the Twig templating languages in block views, page templates, single pages and more.

Behavioral Improvements

• We now give user’s notice if their updates are locally available (which they should be, for example, if composer is being used to manage the Concrete CMS upgrade process.) We will also no longer let admins use the updater if this setting is set to true (thanks mlocati)
• Hero Image block now reports its height setting on immediate change of the slider (Thanks mehl)
• If a site is configured to store their logs in files (instead of the database), the logs Dashboard page now informs administrators. (thanks ounziw)
• ccm_paging_p page parameter is now no longer included in the canonical URL specified by the Search block (Thanks ccmEnlil)
• You can now control whether the Page List block’s pagination parameter is added to the page’s canonical URL via a block setting (thanks ccmEnlil)
• More core blocks are cached in more situations (thanks hissy)
• Return errors in JSON format when the expected response should be in JSON in more cases (thanks mlocati)
• Fix errors about undefined logger when using a custom EntryManager in Express.
• If you access an /account/* protected page and are directed to login, you will be redirected back to the appropriate page on successful login completion.

Bug Fixes

• Fixed bug where page type defaults were not editable by anyone but the super user even if other groups were added to the “Access Page Type Defaults” permission.
• Fixed inability to select a new image or file when using the Concrete File Input component if that file had been deleted (thanks mlocati, danklassen)
• Fixed bug where, if an Express form block was configured to upload files to a specific folder, and that folder was deleted, an error was thrown (thanks dimger)
• Fixed bug where a file might appear in the Dashboard search results multiple times if it had a special character like an ampersand in it (thanks straatrakker)
• Fixed log notice about polls feature not being available when rendering core blocks that use the polls feature (thanks biplobice)
• Fixed bug where a site that used multi-site and had a site name with a special character in it would result in a broken multisite selector in the Dashboard (thanks patej)
• Fixed typos and strings that could not be translated in the Concrete interface (thanks wtflm)
• Fixed bug where attributes like Tags would not be properly displayed in the Document Library results table (thanks JohnTheFish)
• Fixed: ability to activate page templates in a theme was missing in our Dashboard Page themes since the shift to the new Configure page.
• Fixed erroneous description in the Tags block (thanks JohnTheFish)
• Fix error that could happen when a global area is rendered on a site but there is no approved version of the global area (thanks biplobice)
• Fixed error when searching by user group in some situations (thanks TMDesigns)
• Added additional permission check to add file to folder endpoint (thanks JohnTheFish)
• Fixed: CalendarEventVersion Entity missing getJSONObject method
• Fixed: When “All Day” is checked during calendar event creation, end date becomes 1970 if submitted without changing the date
• Fixed issue where 8.x sites that used the style customizer could have some styles lost upon upgrading to 9.x (thanks kaktuspalme)
• Fix: Workflow Request message may includes empty page name

Developer Updates

• Concrete CMS now supports PHP 8.5.
• Concrete’s email functionality now depends on Symfony/Mailer instead of Laminas/Email. All simple use cases should be covered with no backward compatibility concerns.
• Mail importing functionality has been removed from Concrete CMS. This functionality is not used by the core and is unlikely to be used by many third party packages. If this affects you, please get in touch.
• Updated all PHP dependencies where possible.
• Replaces anahkiasen/html-object with the updated (but still old) kylekatarnls/html-object, which adds some new methods and is better supported (fully backward compatible)
• Added more granular controls to block controllers to determine their caching behaviors (including btCacheBlockOutputOnEditMode) (thanks hissy)
• ConcreteFileManager.getFileDetails in JS now returns null if the file cannot be found. Some blocks that use custom JS may need to be updated to handle this (thanks mlocati)
• We now show MySQL max_connections in environment details (thanks mlocati)
• Built-in Concrete console commands for php cs fixer will now route to an external version of the library for greater control (thanks mlocati)
• Added support for a new rcURL query string parameter that can be passed to /login/redirect which will allow users to be redirected to a specific URL after login. Uses an allowlist for security.

Backward Compatibility Notes

• When dragging blocks out of a stack or from the clipboard panel into the page, we used to create pointer to the original block, in order to save space and potentially make the block “updateable”. This was not ideal, and would lead to some weird edge cases where deleted versions of completely unrelated pages might change the contents of pages that had copied content from the original page. Instead, we now always create a copy when copying out of the clipboard or a stack. If you’d like to maintain a pointer to the original content and update content of a block on a separate schedule from the page, drag the entire stack into the page, and keep the stack updated separately.

Behavioral Improvements

• Improved performance on sites with large amounts of permission assignments.

Security Updates

• All security fixes below are for Concrete CMS version 9 only. There will be no fixes for version 8.
• Fixed CVE-2026-3452 by making columns and filterFields starts from empty with commit 1286. Prior to the fix, an authenticated administrator could store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks making Concrete CMS vulnerable to remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK of ZUSO ART for reporting H1 3549050.
• Fixed CVE-2026-3244 with commit 12826 for H1 3542571. Prior to the fix, a stored cross-site scripting (XSS) vulnerability existed in the search block where page names and content were rendered without proper HTML encoding in search results. Authenticated administrators were able to inject malicious JavaScript through page names which executed when users searched for and viewed those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting HackerOne 3542571.
• Fixed CVE-2026-3242 with commit 12826 for H1 3451125 to prevent administrators from being able to add stored XSS via the Switch Language block.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Phí văn Thiện (thienphi1480) for reporting HackerOne 3451125
• Fixed CVE-2026-3241 with commit 12826 for H1 3456482 for version 9 only to prevent administrators from being able to add cross-site scripting (XSS) into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box) in the "Legacy Form" block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Phí văn Thiện (thienphi1480) for reporting H1 3456482.
• Fixed CVE-2026-3240 with commit 12826 for H1 3451114 to prevent an editor from being able to use the Question field in the element Legacy form from being able to inject stored XSS. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi, and quanlna2 from VCSLab-Viettel Cyber Security for reporting H1 3451114.
• Fixed CVE-2026-2994 with commit 12826 for H1 3437650 to ensure the CSRF token is checked before changes to the group_id parameter are saved when using the Anti-Spam Allowlist Group Configuration. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting H1 3437650.

Behavioral Improvements

• YouTube block view now contains iframe code to help YouTube render better under certain stricter web server settings (thanks MarcoKuoni)
• We now define operation IDs for API endpoints (thanks hissy)
• On the Dashboard > Database Entities page we now show entities that are defined using PHP attributes (not just entities) (thanks mlocati)

Bug Fixes

• Fixed: Conversations file attachment icons and file attachment area are not formatted properly.
• Fixed: conversation loader shows properly.
• Fixed: The close “X” of Workflow pop-up only has Atomik css & doesn’t show up in other theme
• Fixed: Subscribe to Conversation "X" button does Unsubscribe/Subscribe button action
• Fixed incorrect edit profile validation on username.
• Fixed inability to rename a form block’s name through the block editing dialog once it has been added to the page.
• Fixed bug when regional jQuery UI languages did not load in time (thanks mlocati)

Developer Updates

• Updated dependencies to their latest minor versions.

Security Updates

• Patched Symfony Foundation libraries to resolve this security issue: https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
• Updated enshrined/svg-sanitized, which improves security scanning of SVG files (see https://www.cve.org/CVERecord?id=CVE-2025-55166).

New Features

• We now check whether the web server appears to be properly configured to support pretty URLs on the URLs and Redirection Dashboard page, and present warnings to the user prior to allowing them to set this configuration value if it appears that it will cause their site to cease rendering (thanks mlocati)

Behavioral Improvements

• Added additional logging to pages, files, Express entries/objects, and calendar events.
• The “Remove Old Page Versions” task is now more efficient and handles larger data sets much more reliably (thanks biplobice)
• We now show seconds in the log entry timestamp.
• We now only redirect requests to URLs where trailing slash settings don’t match when using GET requests, rather than all requests (thanks JohnTheFish)

Bug Fixes

• Fixed bug that caused container instances in the database to be deleted and recreated on each page load, potentially dramatically increasing DB usage on pages where containers were used.
• Fixed bug where reordering Express entries on associations didn’t work under certain conditions.
• Fixed: Can not go to pages on other sites from sitemap panel when using multisite (thanks hissy)
• Fixed inability to retrieve group details over the REST API.
• Fixed: ClassNotFoundError on accessing open api spec (thanks hissy)
• Fixed: When using multisite, page drafts can be created within the wrong site (thanks hissy)
• Fixed bug where Page List block pagination interface was buggy after update to 9.4.5 under certain conditions.
• Fixed: When you hover over the tooltip icon near Image hover of Image Block, the tooltip does not appear (thanks SashaMcr)
• Miscellaneous PHP8 fixes and code cleanup (thanks biplobice)
• Made some untranslatable strings translatable (thanks wtflm)

Behavioral Improvements

• We now no longer wrap Grid Framework-based layouts in an extra row and column class.
• Fixed some UI quirks when mousing over table-based list views in the Dashboard.

Bug Fixes

• Fixed: pages with editing canonical URLs are not correctly marked as in trash.
• Fixed: Nesting "Free-Form Layout" type Areas/Layouts breaks honouring the "Spacing" value
• Fixed: 5xx Server Error for calendar RSS feed.
• Fixed bug where privacy policy accept banner appeared strangely on the Stacks Dashboard page.
• Fixed bug where adding blocks to areas in the Dashboard Welcome screen would only allow you to add one block, and then you would be forced to reload the page.
• Fixed bug where saving theme customizations could force custom CSS dialog to render multiple times.
• Fixed notice error when configuring legacy themes.

Developer Updates

• $controller->buildRedirect(...) can now take a page object as its first argument (thanks mnakalay)

New Features

• Renamed “Automated Logout” Dashboard page to “Logout Options”; added options to the Dashboard page to control whether users see an explicit logout message when they log out.
• Added an option to log stack traces of uncaught exceptions, available in the Logging Settings Dashboard page (thanks mlocati)

Behavioral Improvements

• We now do a better job of keeping the current page in edit mode while you’re actively making changes to the page without it timing out (thanks mlocati)
• Improvements to Page List blocks when dealing with large data sets of pages and not ignoring permissions (thanks hissy)
• Improvements to button display in composer form and page versions panel when a page version has already been submitted to workflow (thanks hissy).
• Images placed in the Hero Image block will now preload with a <link> tag in the header, improving performance scores in webmaster tools (thanks hissy)

Bug Fixes

• Fixed bug where a user encounters an error when attempting to add a Form to a page via the Express Form block (thanks mlocati)
• Fixed: Express Entry Detail Block not returning results in version 9.4.3 (thanks mlocati)
• Fixed bug where certain web server configurations coupled with non-standard web requests could result in pages rendering with incorrect JS/CSS paths. Coupled with full page caching and a request could result in a cached page with broken assets.
• Fixed: Default HTTP client options found in config/app.php were old and mostly not properly honored. Now new proper config options and default values are provided (thanks ArniPL)
• Fixed display bug in Chrome and possibly other browsers where the first click on a block in a page would briefly highlight the block with an opaque color, instead of the semi-transparent green it should.
• Fixed PHP warnings in Text encoding service (thanks mlocati)
• Fixed bug where filtering users by certain groups could return incorrect users if the group names were similar (thanks mlocati)
• Fix the behavior of sitemap selector not working for level 3 and lower when working with the selectFromSitemap or selectMultipleFromSitemap methods in the PageSelector class (thanks parasek)
• Fixed: multiple instances of the Social Links attribute do not work on a user profile page.
• Fixed: Folder Name is not sorted correctly in document library (thanks SashaMcr)
• Fixed many bugs and inconsistencies when importing and export attributes as CIF XML (thanks mlocati)
• Fixed avaScript error in Express Search Form: $(...).datepicker is not a function when using a date/time attribute with an Express List block (thanks hissy)
• Fixed bug where "Display in browser" option was still forcing files to download when using the Document Library (thanks hissy)
• Fixed: LinkAbstractor::export does not export concrete-picture element collectly (thanks hissy)
• Avoid multiline comments in i18n comments (thanks mlocati)
• Fixed: “undefined” text shown in confirmation modal when removing permissions in bulk via Page Search

Behavioral Improvements

• Many block types that didn’t properly report their file usage to the Dashboard File Details page now do so (thanks mlocati)
• RSS Feeds created and listed in the Dashboard now include a convenience link to view the contents of the feed (thanks Mesuva)
• Force download view_inline will no longer download a file if the file is not viewable inline, instead it will just return (thanks Allan-macareux)
• When comparing page versions, we will now sort the version IDs to ensure that you’re always comparing old versions to new versions regardless of the order of query string arguments, and we’ll also order the version IDs in the tab description more sensibly.
• You can now set the background of stack contents in the Dashboard to a temporary white or black (does not affect content or how its rendered) in order to assist when working on content that differs from the Dashboard color scheme (thanks mlocati)

Bug Fixes

• Many bug fixes to the Concrete content import/export system (thanks mlocati)
• Fixed bug where Concrete proxy settings were not sending URLs that were https:// through the proxy (thanks hissy)
• Sites that registered a proxy server in the Dashboard will now use that proxy server when connecting to the marketplace for add-on downloads and updates (thanks hissy)
• When editing the frontend of a site on mobile, the pages icon in the toolbar was positioned incorrectly. This is now fixed.
• Fixed error when assigning a new page attribute to multiple pages via Page Search (thanks danklassen)
• Fixed bug where Option List attributes that were defined through CIF XML on import or through custom code were not properly assigning to a page.
• Fixed error where leaving a comment larger than 255 characters on a page version would trigger a database error (thanks SashaMcr)

Developer Updates

• Massive improvements to block import and export, including the ability to import and export many block types that were not possible (Calendar, etc…) (thanks mlocati)
• Minor translation improvements (thanks mlocati)
• Certain ancient functions now marked as deprecated since PHP provides their functionality natively (thanks mlocati)
• We now dispatch the "on_add_canonical_page_path" when adding a canonical path (thanks biplobice)
• Fixed bug running the c5:ide-symbols console command under certain conditions (thanks mlocati)

Security Fixes

• Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
• Fixed CVE-2025-8573 Stored XSS from Home Folder on Members Dashboard page with commit 12643. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. Version 8 is not affected. Thanks sealldev for reporting HackerOne 3145536.
• Fixed inconsistent behavior when using the rich text editor. Before the fix, users pasting HTML into the “content” pane of the rich text editor and saving the content resulted in HTML-escaped versions of the content. Note that re-saving it would then save it as HTML.

Behavioral Improvements

• When importing stacks we first check to see if a stack path exists on the stack node, and fallback to stack name if it does not (thanks mlocati)
• Block Types: allow exporting NULL, don't "abstract" zeroes on import/export (thanks mlocati)
• Backported log handling tweaks (thanks SashaMcr)

Bug Fixes

• Fix exporting aliases of deleted blocks (thanks mlocati)
• Fixed Copying a Express Entry List gives - Call to a member function getAreaHandle() (already included in version 9, backported)

Security Updates

• Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.

Behavioral Improvements

• File Chooser will now remember the last tab you had selected (in addition to the current behavior of allowing site-wide setting of Recent Files or File Manager as the default option.)
• Updated certain color values in Atomik theme skins to make them conform better to accessibility guidelines.
• Updated certain Dashboard interfaces to look better in Dark mode.
• SVG thumbnails and detail images are now properly displayed in the File Manager (thanks mnakalay)
• When a block that is exported has custom design properties, we now only include the values that are set, rather than a potentially large amount of empty XML nodes (thanks mlocati)
• Added the ability to disable automatic board regeneration using Board Settings.

Bug Fixes

• Fixed errors that would occur when attempting to regenerate or schedule custom board elements without new Board Instance Logging enabled.
• Fixed fatal error that would occur if OpenGraph support is enabled but rendered on a view where no page is present (thanks mlocati)
• Searching file sets in the bulk add to file set dialog not works again.
• File Tracker feature now correctly notes when files are referenced in rich text content (thanks mlocati)
• Fixed bug where stack menu in the Dashboard didn’t show up on mobile (thanks SashaMcr)
• Fixed weird padding on add pages menu item on mobile in the Dashboard.
• Fixed appearance glitches in certain dialogs due to the way that jQuery UI dialog changed appending CSS classes to HTML elements.
• Fixed error where a page without an active version appearing in the Top Navigation Bar would cause a sitewide error.
• Fixed links not appearing properly in Concrete dialogs.
• Fixed error where files identified by a UUID would not be exported properly when using the Migration Tool (thanks mlocati)
• Fixed: Express Form - admin can check off notifications and not enter an email address (thanks danklassen)
• Fixed occasional, unexplained errors when saving the Tags block.
• Tags block now shows the tag selector again when applying tags to the target page when choosing a specific page.
• Reverted page list performance improvement that actually degraded performance under certain conditions.
• Fixed: Scheduled Publication of a page leads to an error in the Top Navigation block controller
• Bug fixes to exported output of the Feature block type, Feature block type now uses the standard Destination Picker component for selecting link (thanks mlocati)
• Fixed Uncaught Exception: Could not convert database value to 'object' as an error was triggered by the unserialization: 'Return type of Concrete\Core\Entity\Board\InstanceLogEntry::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice' under certain conditions (thanks ahukkanen)

Developer Updates

• Classmap symbols files used by IDEs for Concrete development are now excluded from Composer (which will result in Composer reporting fewer errors when running) (thanks mlocati)
• Allow defining custom parent dir for VolatileDirectory by passing $parentDirectory (thanks mlocati)