9.5.2 Release Notes

Edit

Improvements?

Let us know by posting here.

Behavioral Improvements

  • Page attributes are now grouped by set in the Composer Add Form Control dialog.

Bug Fixes

  • Advanced board templates that used the $summaryObject variable within them should now work again.
  • Restored old behavior where if a block used a custom template, but that custom template actually didn’t exist in the filesystem, the block would not render anything. Now it renders the default view (as it used to.)
  • Fixed: In the date output of a calendar event there was a closing anchor tag which appears to be out of place (thanks danklassen)

Developer Updates

  • Added on_package_test_for_uninstall, on_before_package_uninstall and on_after_package_uninstall events.

Security Fixes

  • Updated third party composer libraries to close out new security vulnerabilities in our upstream dependencies like twig/twig, symfony/yaml, and others.

  • add allowed_classes to unserialize() in Permission, Cache, and Search to prevent PHP Object Injection (thanks XananasX7 for reporting and providing a pull request). CVE-2026-10721 was created for this vulnerability

  • security: add allowed_classes to unserialize() in Form blocks, and File/Set to prevent PHP Object Injection (thanks XananasX7 for providing a pull request and also Sanjorn Keeratirungsan for reporting H1 3756743). CVE-2026-7888 was created for this vulnerability. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.