Concrete CMS 9.4.3

6 August 2025

Concrete CMS version 9.4.3 is now available (major release).

Upgrading to Concrete CMS 9.4.3

What's New in Concrete CMS 9.4.3

• Many block types that didn’t properly report their file usage to the Dashboard File Details page now do so (thanks mlocati)
  
• RSS Feeds created and listed in the Dashboard now include a convenience link to view the contents of the feed (thanks Mesuva)
  
• Force download view_inline will no longer download a file if the file is not viewable inline, instead it will just return (thanks Allan-macareux)
  
• When comparing page versions, we will now sort the version IDs to ensure that you’re always comparing old versions to new versions regardless of the order of query string arguments, and we’ll also order the version IDs in the tab description more sensibly.
  
• You can now set the background of stack contents in the Dashboard to a temporary white or black (does not affect content or how its rendered) in order to assist when working on content that differs from the Dashboard color scheme (thanks mlocati)
  

• Many bug fixes to the Concrete content import/export system (thanks mlocati)
  
• Fixed bug where Concrete proxy settings were not sending URLs that were https:// through the proxy (thanks hissy)
  
• Sites that registered a proxy server in the Dashboard will now use that proxy server when connecting to the marketplace for add-on downloads and updates (thanks hissy)
  
• When editing the frontend of a site on mobile, the pages icon in the toolbar was positioned incorrectly. This is now fixed.
  
• Fixed error when assigning a new page attribute to multiple pages via Page Search (thanks danklassen)
  
• Fixed bug where Option List attributes that were defined through CIF XML on import or through custom code were not properly assigning to a page.
  
• Fixed error where leaving a comment larger than 255 characters on a page version would trigger a database error (thanks SashaMcr)
  

• Massive improvements to block import and export, including the ability to import and export many block types that were not possible (Calendar, etc…) (thanks mlocati)
  
• Minor translation improvements (thanks mlocati)
  
• Certain ancient functions now marked as deprecated since PHP provides their functionality natively (thanks mlocati)
  
• We now dispatch the "on_add_canonical_page_path" when adding a canonical path (thanks biplobice)
  
• Fixed bug running the c5:ide-symbols console command under certain conditions (thanks mlocati)
  

• Fixed CVE-2025-8571 Reflected XSS in Conversation Messages Dashboard Page by adding more sanitization to the Url::setVariable method with commit 12643 for version 9 and commit 12646 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. Thanks Fortbridge for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
  
• Fixed CVE-2025-8573 Stored XSS from Home Folder on Members Dashboard page with commit 12643. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. Version 8 is not affected. Thanks sealldev for reporting HackerOne 3145536.
  
• Fixed inconsistent behavior when using the rich text editor. Before the fix, users pasting HTML into the “content” pane of the rich text editor and saving the content resulted in HTML-escaped versions of the content. Note that re-saving it would then save it as HTML.
  

• File Chooser will now remember the last tab you had selected (in addition to the current behavior of allowing site-wide setting of Recent Files or File Manager as the default option.)
  
• Updated certain color values in Atomik theme skins to make them conform better to accessibility guidelines.
  
• Updated certain Dashboard interfaces to look better in Dark mode.
  
• SVG thumbnails and detail images are now properly displayed in the File Manager (thanks mnakalay)
  
• When a block that is exported has custom design properties, we now only include the values that are set, rather than a potentially large amount of empty XML nodes (thanks mlocati)
  
• Added the ability to disable automatic board regeneration using Board Settings.
  

• Fixed errors that would occur when attempting to regenerate or schedule custom board elements without new Board Instance Logging enabled.
  
• Fixed fatal error that would occur if OpenGraph support is enabled but rendered on a view where no page is present (thanks mlocati)
  
• Searching file sets in the bulk add to file set dialog not works again.
  
• File Tracker feature now correctly notes when files are referenced in rich text content (thanks mlocati)
  
• Fixed bug where stack menu in the Dashboard didn’t show up on mobile (thanks SashaMcr)
  
• Fixed weird padding on add pages menu item on mobile in the Dashboard.
  
• Fixed appearance glitches in certain dialogs due to the way that jQuery UI dialog changed appending CSS classes to HTML elements.
  
• Fixed error where a page without an active version appearing in the Top Navigation Bar would cause a sitewide error.
  
• Fixed links not appearing properly in Concrete dialogs.
  
• Fixed error where files identified by a UUID would not be exported properly when using the Migration Tool (thanks mlocati)
  
• Fixed: Express Form - admin can check off notifications and not enter an email address (thanks danklassen)
  
• Fixed occasional, unexplained errors when saving the Tags block.
  
• Tags block now shows the tag selector again when applying tags to the target page when choosing a specific page.
  
• Reverted page list performance improvement that actually degraded performance under certain conditions.
  
• Fixed: Scheduled Publication of a page leads to an error in the Top Navigation block controller
  
• Bug fixes to exported output of the Feature block type, Feature block type now uses the standard Destination Picker component for selecting link (thanks mlocati)
  
• Fixed Uncaught Exception: Could not convert database value to 'object' as an error was triggered by the unserialization: 'Return type of Concrete\Core\Entity\Board\InstanceLogEntry::jsonSerialize() should either be compatible with JsonSerializable::jsonSerialize(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice' under certain conditions (thanks ahukkanen)
  

• Classmap symbols files used by IDEs for Concrete development are now excluded from Composer (which will result in Composer reporting fewer errors when running) (thanks mlocati)
  
• Allow defining custom parent dir for VolatileDirectory by passing $parentDirectory (thanks mlocati)
  

• Correctly initialize HTTP client in FeedService so that it is a singleton (thanks mlocati)
  
• We now forget pages from the page index when they are moved to the trash.
  
• Improved performance when using the core translation library to extract strings from templates into .po files (thanks mlocati)
  

• Fixed: User without stack editing permissions can add blocks to global areas
  
• User without add stack permission can edit or delete blocks on global areas
  
• Fixed: new 9.4 OpenGraph feature doesn't escape characters in page name/descriptions (thanks mlocati)
  
• Concrete JS and CSS assets were not properly built in 9.4.0, leading to some display issues (buttons appearing in a slightly different styling, etc…) This has been fixed.
  
• The Gallery block displayed an error when being edited with the default Atomik sample content under PHP 8.4 and possibly under other conditions. This was due to an incompatible version of its JS dragging library being included. This has been fixed.
  
• Fixed: New 9.4.0 OpenGraph feature not compatible with SVG files
  
• The Gallery sample content in Atomik displayed extra slides under PHP 8.4 and possibly other conditions. This has been fixed.
  

• Add new method to the Seo class and make the class properties protected from private (thanks biplobice)
  

• Significant Improvements to Error Handling, including the ability to map PHP error types to different behaviors, a cleaner debug error handling page, and more.
  
• Significant improvements to logging, including providing links over to user profile pages from logs, adding page identifiers to log messages, and much more.
  
• Atomik theme now has five new skins available.
  
• Improvements to task resiliency, including better logging of task errors, better display of errors in the command line, batch tasks will continue running even if one task in the batch fails.
  
• Added the ability to bulk set page caching settings in the Dashboard page search interface.
  
• Added the ability to bulk edit page type, page template and theme in the Dashboard page search interface.
  
• Dashboard and CMS now supports dark mode! Set light mode or dark mode globally, or use your OS settings.
  
• New Appearance Dashboard page (replaces Accessibility and includes existing Accessibility settings)
  
• Added support for Open Graph to the core; head to the Open Graph Dashboard page to configure which properties and attributes field data to Open Graph tags.
  
• Significant improvements to content import/export: added support for multilingual page mapping, additional page paths, external links and more (thanks mlocati)
  
• Added the ability to specify storage and whether to override existing items when importing config values (thanks mlocati)
  
• Added a Dashboard page allowing users to control which summary templates are available for which categories of content.
  
• Added the ability to view detailed logging information on a board instance level when troubleshooting board behaviors.
  
• Added “Total File Downloads” as an available column to the file manager (thanks SashaMcr)
  
• Add support for Bluesky to Social Links (thanks mlocati)
  

• Concrete is now tested to run under PHP 8.4.
  
• Boards will now automatically refresh and regenerate their contents when relevant content displayed in them is added or changed throughout the site.
  
• Much improved performance when working with external file storage locations like AWS S3.
  
• Added a new config value, misc.img_src_absolute that defaults to false. When set to true, absolute URLs will be used when serving assets from the file manager (useful when using the data in your site for other purposes like sending emails, etc..) (thanks mlocati)
  
• Added the ability to include system pages in the Dashboard Page search.
  
• Update Languages Dashboard page now gives better feedback when updating languages (thanks mlocati)
  
• Accordion/FAQ/Image Slider/Survey: improvements and fixes to exporting/importing secondary tables (thanks mlocati)
  
• Made the “page publish start date” input field required when enabled, so that users don’t accidentally publish pages when not intending to do so (thanks bikerdave)
  
• Add condition on site tree ID for create multlingual url on single page when this page is in site tree (thanks 6tematik)
  
• We now specify the file download from the Document Library (thanks ounziw)
  
• Performance improvements when retrieving certain page data (thanks hissy)
  
• Date and time of scheduled tasks is now shown in a friendlier format (thanks hissy)
  
• Removing orphaned blocks will now no longer remove orphaned blocks from potentially unrelated pages, if those blocks had been shared via page defaults (not common) (thanks hissy)
  
• Performance improvement: Do not get style sets and global stacks repeatedly (thanks hissy)
  
• Performance improvements to the PageList class (thanks hissy)
  
• Gallery block record is now cacheable (thanks hissy)
  
• Admins can now add pages beneath system pages in the sitemap
  
• Do not throw an exception at the messenger backend when unauthorized (thanks ahukkanen)
  
• RSS Displayer Block now supports ATOM feeds.
  
• Improvement: accessibility for accessibility settings (thanks nratering)
  
• CONCRETE and CONCRETE_LOGIN now respect the samesite setting (thanks gutig)
  
• Redirect in case express form submit happens without a valid Express Form in the Dashboard (thanks ahukkanen)
  
• Added a timeout to feed service so that malformed weird feeds can't hang the entire thing
  
• Block Types: allow exporting NULL, don't "abstract" zeroes on import/export (thanks mlocati)
  
• When importing stacks we first check to see if a stack path exists on the stack node, and fallback to stack name if it does not (thanks mlocati)
  

• Fixed error where RSS feeds that were set up to filter by a parent page would die if that parent page were put in the trash (thanks mlocati)
  
• Fix wrong arguments passed from Page\AddBlock dialog controller to the view (thanks mlocati)
  
• Fixed added "Creation of dynamic property" in the PageView class under certain conditions in PHP 8+ (thanks jgarc186)
  
• Miscellaneous PHP8 missing property bugs (thanks jgarc186)
  
• Fixed: Text Area User Attribute / Ckeditor not showing on edit profile when wrapped with custom theme
  
• Fixed inability to set separate active theme for sites from the theme Dashboard page when multisite was enabled.
  
• Fixed: Grid framework views are broken in some edge cases (thanks hissy)
  
• Fixed: Rename Express Object does not rename results folder name
  
• Fixed: When installing a Snippet using the CIF format in a package if you bump up the version of the package the Snippets attempt to install a second time and return an error
  
• Fixed issues selecting file manager folders when moving files under certain conditions (thanks hissy)
  
• Fixed bug where visiting a folder in the frontend file chooser and then deleting it in the file manager would render the frontend file chooser unusable.
  
• Fixed inconsistencies when adding, editing and removing multiple Express form set controls via the Dashboard UI.
  
• Fixed bug where certain kinds of select options could break the ability to run the Migration Tool exporter (thanks bitterdev)
  
• Fix AreaLayout::getByID() with an unexisting layout ID (thanks ahukkanen)
  
• Fixed bug in Concrete’s implementation of PHP Redis
  
• Fix rendering content block images with custom width or height under certain conditions (thanks mlocati)
  
• Fix issues with the search block and page list with unexpected parameters (thanks ahukkanen)
  
• Check attribute validation data is set before validation (thanks ahukkanen)
  
• Fix error when retrieving theme grid layout name when theme does not support grid framework (thanks ahukkanen)
  
• Fix exporting aliases of deleted blocks (thanks mlocati)
  
• Fix file download stats issue when related page ID is out of range (thanks ahukkanen)
  
• Fix clicking on "sort by" labels while adding/editing a board (thanks mlocati)
  
• Fixed error when reindexing pages with certain Express blocks and attributes attached to them when the cache is disabled (thanks ahukkanen)
  
• Fixed error “Only variables should be passed by reference” on user notifications page under PHP strict mode (thanks jgarc186)
  
• Fix: PHP 8 compatibility issue in legacy form submissions CSV export (thanks bitterdev)
  
• Fixed some small errors when importing stack content (thanks mlocati)
  
• Fix exporting page fields when page can't be found (thanks mlocati)
  

• package-pack command now excludes phpunit.xml and tests directory when preparing a package for distribution (thanks biplobice)
  
• Added the ability to include json strings as config in Concrete import XML (thanks mlocati)
  
• When importing pages at paths that don’t exist, we now throw a specific exception that can be handled differently in different cases (thanks mlocati)
  
• Fixed bug where output from tasks would not appear in realtime, even if using Mercure.
  
• Content blocks that use btExportContentColumns will have their content properly exported without having to implement their own export and getImportData methods (thanks mlocati)
  

• Fixed CVE-2025-0660 Stored XSS in Folder Function by adding sanitation to the folder selector dropdown output with commit 11bef02 and by fixing folder deletion issues with commit 7c134e9 for version 9. The "Add Folder" functionality lacked input sanitization, allowing a rogue admin to inject XSS payloads as foldernames. The Concrete CMS security team gave this vulnerability a CVSS v4.0 score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting HackerOne 2941432.
  
• Fixed CVE-2025-3153 CSRF and XSS in the Concrete CMS Address attribute with commit 12511 for version 9 and with commit 12511 for version 8.5. Fixed unsanitized address custom attribute when rendering addresses unattached to a particular country. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.
  

• If you use the the concrete/bin/concrete c5:boards:refresh command, please note that the --regenerate option is now gone; instead, the refresh command only regenerates boards, making this option unnecessary. If you have cronned this command, please update the cron otherwise the command may not function properly (since it will error out, complaining about an invalid option.)
  
• The concrete/bin/concrete c5:reindex command no longer works properly, and hasn’t for several versions (see https://github.com/concretecms/concretecms/issues/12455). In 9.4.0 this command has been removed. Instead, use concrete/bin/concrete task:reindex-content, which accomplishes what this command should (thanks ahukkanen)