Critical Releases

Follow 5.1.0 [CRITICAL]

2026-02-22T12:55:07+00:00

Fixed

Open redirect vulnerability in follow/unfollow actions. Redirect parameter is now validated via redirectToPostedUrl(). Could cause a potential phishing attack.
Follow and unfollow actions now require authentication and POST requests to prevent CSRF attacks.
toggle() method having inverted logic (follow when already following, unfollow when not following).
createFollow() returning true even when the database save failed, and leaving transactions uncommitted.
deleteFollow() throwing a fatal error on race conditions when the record is already deleted.

Removed

Unused FollowService import and stale composer.json component reference.

Formie 3.1.14 [CRITICAL]

2026-02-18T11:16:30+00:00

Changed

Updated Summary field AJAX requests to use submission UIDs.

Formie 2.2.13 [CRITICAL]

2026-02-18T11:15:49+00:00

Changed

Updated Summary field AJAX requests to use submission UIDs.

Azure Blob Storage 2.1.1 [CRITICAL]

2026-02-18T01:57:58+00:00

Fixed a critical-severity information disclosure vulnerability. (GHSA-q6fm-p73f-x862)

Formie 3.1.13 [CRITICAL]

2026-02-14T01:41:22+00:00

Fixed

Fix lack of sanitization of File Upload files, where the Upload Location subpath contained variables.

Formie 2.2.12 [CRITICAL]

2026-02-14T01:36:19+00:00

Fixed

Fix lack of sanitization of File Upload files, where the Upload Location subpath contained variables.

Craft CMS 5.6.17 [CRITICAL]

2025-04-10T22:42:46+00:00

Fixed an RCE vulnerability.

Craft CMS 4.14.15 [CRITICAL]

2025-04-10T22:40:44+00:00

Fixed an RCE vulnerability.

Craft CMS 3.9.15 [CRITICAL]

2025-04-10T22:37:41+00:00

Fixed an RCE vulnerability.

Craft CMS 3.9.14 [CRITICAL]

2024-12-19T18:59:34+00:00

Fixed an RCE vulnerability.

Template Guard 4.0.0 [CRITICAL]

2024-12-11T17:47:50+00:00

If you're using a custom login template you'll have to replace action="proxy.php?url={{ craft.app.request.getParam('ref') }}" with action="proxy.php?url={{ craft.templateGuard.loginFormAction() }}".

The ref query param used on the login page is now protected against tampering.

SAML SSO Service Provider 4.3.1 [CRITICAL]

2024-12-03T15:31:19+00:00

Fixed

SECURITY PATCH - Update REQUIRED! More info can be found here: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2#event-375127

SAML SSO Service Provider 5.1.2 [CRITICAL]

2024-12-03T15:22:24+00:00

Fixed

SECURITY PATCH with saml-core/saml2 dependencies. Update REQUIRED! More info can be found here: https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2#event-375127

Craft CMS 5.5.2 [CRITICAL]

2024-11-19T17:17:55+00:00

Fixed an error that could occur if an invalid folder ID was passed to craft\services\Assets::deleteFoldersByIds(). (#16147)
Fixed a SQL error that occurred when creating a new Single section. (#16145)
Fixed an error that occurred when running the resave/all command, if any of the options passed weren’t supported by other resave/* commands. (#16148)
Fixed an error that occurred when restoring a soft-deleted custom field. (#16150)
Fixed an RCE vulnerability.

Craft CMS 4.13.2 [CRITICAL]

2024-11-19T17:16:37+00:00

Fixed an error that could occur if an invalid folder ID was passed to craft\services\Assets::deleteFoldersByIds(). (#16147)
Fixed an RCE vulnerability.

Blitz 5.7.0 [CRITICAL]

2026-01-06T19:21:16+00:00

This update includes a fix for an issue in which Blitz could send incorrect Cache-Control headers. Please read this article to find out whether the issue affects your site, and what you should do. To ensure the changes in this update are applied, the cache should be refreshed after this update completes.

Added

Added a check for whether the cache should be refreshed after every request has ended, meaning that setting the RefreshCacheService::batchMode property no longer serves a purposes and can be safely removed.
Added compatibility with Craft 5.3.0 for detecting eager-loading opportunities in the Blitz Hints utility.

Changed

The expiry date displayed in the element sidebar panel now reflects the entry’s expiry date, if set and sooner than the cached page’s expiry date (#698).
The refreshCacheEnabled config setting is now actually respected.

Fixed

Fixed the default cache control header values that were inadvertently set to incorrect values (learn more).
Fixed the nested element type count displayed in the Blitz Diagnostics utility.
Fixed a bug in which the date cached and expiry dates were not being displayed in the correct timezone in the element sidebar panel (#698).
Fixed a bug in which the homepage was not being displayed as cached in the element sidebar panel.
Fixed a bug that was causing integrity constraint violation errors to be logged (#699).

Deprecated

Deprecated the RefreshCacheService::batchMode property.

Blitz 4.23.0 [CRITICAL]

2026-01-06T19:22:57+00:00

This update includes a fix for an issue in which Blitz could send incorrect Cache-Control headers. Please read this article to find out whether the issue affects your site, and what you should do. To ensure the changes in this update are applied, the cache should be refreshed after this update completes.

Added

Added a check for whether the cache should be refreshed after every request has ended, meaning that setting the RefreshCacheService::batchMode property no longer serves a purposes and can be safely removed from your code.

Changed

Blitz now requires Craft CMS 4.5.11 or later.
The expiry date displayed in the element sidebar panel now reflects the entry’s expiry date, if set and sooner than the cached page’s expiry date (#698).

Fixed

Fixed the default cache control header values that were inadvertently set to incorrect values (learn more).
Fixed a bug in which the date cached and expiry dates were not being displayed in the correct timezone in the element sidebar panel (#698).
Fixed a bug in which the homepage was not being displayed as cached in the element sidebar panel.

Deprecated

Deprecated the RefreshCacheService::batchMode property.

Element Exporter 4.1.3 [CRITICAL]

2024-08-19T17:12:45+00:00

Fixed

Fixed an bug where exports would be deteled when the system ran Garbage Collection. You'll have to update to this version and recreate your exports.

Maps 3.9.5 [CRITICAL]

2024-07-10T09:47:10+00:00

Security

Removed Polyfill.io (https://sansec.io/research/polyfill-supply-chain-attack)

PayPal Checkout for Craft Commerce 3.0.1 [CRITICAL]

2024-06-27T15:07:33+00:00

Added craft\commerce\paypalcheckout\gateways\Gateway::showPaymentFormSubmitButton().
Fixed a supply chain security vulnerability.