5.9.14

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Added craft\elements\Entry::canMove().
• Fixed a bug where element selector modals weren’t showing any results if they were limited to sources that only exist for a different site than the active one. (#18478)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
• Fixed a moderate-severity RCE vulnerability. (GHSA-86vw-x4ww-x467)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-f582-6gf6-gx4g)

4.17.8

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)

5.9.13

• The control panel is now translated into Greek. (#18458)
• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is now set to false by default for database connections.
• Fixed a bug where searchindex and searchindexqueue rows weren’t being deleted when an element was deleted for a site. (#18394)
• Fixed a bug where multi-select condition rules weren’t applying their “has a value” and “is empty” operators correctly. (#18470)
• Fixed an unintended change in behavior where craft\helpers\App::parseEnv() was returning null instad of an empty string, when an environment variable name was passed in, which was set to an empty string.
• Fixed a bug where drafts within “My Drafts” widgets weren’t getting hyperlinked. (#18456)
• Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. (#18461)
• Fixed a bug where the “New Tab” button within field layout designers could be positioned incorrectly. (#18450)
• Fixed a high-severity RCE vulnerability. (GHSA-2fph-6v5w-89hh)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

4.17.7

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is now set to false by default for database connections.
• Fixed a bug where searchindex and searchindexqueue rows weren’t being deleted when an element was deleted for a site. (#18394)
• Fixed a bug where multi-select condition rules weren’t applying their “has a value” and “is empty” operators correctly. (#18470)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

5.9.12

• Added craft\services\Tokens::getRemainingTokenUsages().
• Added craft\web\Request::getTokenRoute().
• Fixed a JavaScript error that could occur when opening or submitting a slideout.
• Fixed a high-severity permission escalation vulnerability. (GHSA-cc7p-2j3x-x7xf)

4.17.6

• Added craft\services\Tokens::getRemainingTokenUsages().
• Added craft\web\Request::getTokenRoute().
• Fixed a high-severity permission escalation vulnerability. (GHSA-cc7p-2j3x-x7xf)

5.9.11

• The nb locale is now treated as a fallback for no on environments where no isn’t supported. (#18431)
• Element indexes now show “Paste” buttons alongside bulk element action buttons. (#18427)
• Boolean environment variables now universally support truthy/falsy values, including on/off and yes/no. (#18441)
• Impoved the performance of craft\helpers\Typecast. (#18426)
• Added App::normalizeBooleanValue().
• Added craft\events\ExecuteGqlQueryEvent::$cacheDuration. (#18442)
• Added craft\events\ExecuteGqlQueryEvent::$cacheTags. (#18442)
• Added craft\web\Request::getWantsImage().
• Added craft\web\Request::getWantsJson().
• Added craft\web\Request::wants().
• Fixed a bug where 404 responses could be set to an image based on the brokenImagePath config setting for Chrome. (#18438)
• Fixed a bug where some Matrix bulk action labels weren’t getting translated.
• Fixed a bug where global nav items weren’t showing an icon if the icon was set to 0.
• Fixed moderate-severity RCE vulnerabilities. (GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j)
• Fixed a low-severity XSS vulnerability. (GHSA-3x4w-mxpf-fhqq)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

4.17.5

• Added craft\web\Request::getWantsImage().
• Added craft\web\Request::getWantsJson().
• Added craft\web\Request::wants().
• Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. (#18420)
• Fixed a bug where 404 responses could be set to an image based on the brokenImagePath config setting for Chrome. (#18438)
• Fixed a moderate-severity RCE vulnerability. (GHSA-4484-8v2f-5748)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

5.9.10

• slug columns referenced in element queries’ select, where, or orderBy expressions now explicitly resolve to elements_sites.slug. (#18416)
• Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. (#18420)
• Fixed a bug where craft\helpers\App::parseBooleanEnv() wasn’t handling false values properly. (#18418)
• Fixed a bug where DECIMAL field values with 0 precision weren’t gettnig typecasted properly in element queries.

5.9.9

Warning

Relational condition rules’ element ID templates are now rendered in a sandboxed Twig environment, when enableTwigSandbox is enabled.

• Added craft\helpers\ElementHelper::cleanseQueryCriteria().
• Fixed an error that could occur when editing an element with a Table field. (#18408)
• Fixed an error that occurred when editing a Table field with no default rows. (#18407)
• Fixed a high-severity RCE vulnerability. (GHSA-fp5j-j7j4-mcxc)
• Fixed a high-severity SQL injection vulnerability. (GHSA-g7j6-fmwx-7vp8)