Update Feed

Concrete CMS 9.4.7

8 December 2025

Concrete CMS version 9.4.7 is now available.

Upgrading to Concrete CMS 9.4.7

Concrete CMS 9.4.7 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 9.4.7 upgrade prior to applying it live. Get started managing your Concrete CMS installations with Installatron

What's New in Concrete CMS 9.4.7

Security

Patched Symfony Foundation libraries to resolve this security issue: https://symfony.com/blog/cve-2025-64500-incorrect-parsing-of-path-info-can-lead-to-limited-authorization-bypass
Updated enshrined/svg-sanitized, which improves security scanning of SVG files (see https://www.cve.org/CVERecord?id=CVE-2025-55166).

Behavioral Improvements

YouTube block view now contains iframe code to help YouTube render better under certain stricter web server settings (thanks MarcoKuoni)
We now define operation IDs for API endpoints (thanks hissy)
On the Dashboard > Database Entities page we now show entities that are defined using PHP attributes (not just entities) (thanks mlocati)

Bug Fixes

Fixed: Conversations file attachment icons and file attachment area are not formatted properly.
Fixed: conversation loader shows properly.
Fixed: The close “X” of Workflow pop-up only has Atomik css & doesn’t show up in other theme
Fixed: Subscribe to Conversation "X" button does Unsubscribe/Subscribe button action
Fixed incorrect edit profile validation on username.
Fixed inability to rename a form block’s name through the block editing dialog once it has been added to the page.
Fixed bug when regional jQuery UI languages did not load in time (thanks mlocati)