Concrete CMS 8.5.21
6 August 2025
Concrete CMS version 8.5.21 is now available (security release).
Upgrading to Concrete CMS 8.5.21
Concrete CMS 8.5.21 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 8.5.21 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron
What's New in Concrete CMS 8.5.21
8.5.21
Behavioral Improvements
- When importing stacks we first check to see if a stack path exists on the stack node, and fallback to stack name if it does not (thanks mlocati)
- Block Types: allow exporting NULL, don't "abstract" zeroes on import/export (thanks mlocati)
- Backported log handling tweaks (thanks SashaMcr)
Bug Fixes
- Fix exporting aliases of deleted blocks (thanks mlocati)
- Fixed Copying a Express Entry List gives - Call to a member function getAreaHandle() (already included in version 9, backported)
Security Updates
- Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
8.5.20
New Features
- Significant improvements to content import/export: added support for multilingual page mapping, additional page paths, external links and more (thanks mlocati)
- Disabled searching marketplace since marketplace supports 9+ (thanks mlocati)
Bug Fixes
- Fix exporting area layout column when area is null (thanks mlocati)
- Fixed some small errors when importing stack content (thanks mlocati)
- Fix exporting page fields when page can't be found (thanks mlocati)
Security Updates
- Safer storage of API keys on Windows (not necessary for Concrete CMS v9+, see more information here https://github.com/concretecms/concretecms/pull/11859) (thanks mlocati)
- Fixed unsanitized address custom attribute when rendering addresses unattached to a particular country.
Developer Updates
- Page::getByPath can now except a as well as a site tree and return all pages in all multilingual site trees therein (thanks mlocati)
- When importing pages at paths that don’t exist, we now throw a specific exception that can be handled differently in different cases (thanks mlocati)
