6.0.0-alpha.8

• Added CraftCms\Cms\Twig\AllowableInSandbox.
• Fixed a bug where Blade templates weren’t loading for text/Markdown mail. (#19106)
• Fixed a bug where it wasn’t possible to change the primary site, or edit site statuses. (#19109)

5.10.7

• Added craft\web\twig\AllowableInSandbox.
• Fixed a bug where craft\helpers\App::parseEnv() wasn’t resolving aliases for environment variables that referenced an alias (e.g. @root/storage/rebrand). (#19108)
• Fixed a bug where the “Parent” field on Structure entries’ edit pages wasn’t showing the parent entry if it didn’t exist for the same site being edited, causing the parent relationship to be lost on save. (#19110)
• Fixed a high-severity RCE vulnerability.

4.18.3

• Added craft\web\twig\AllowableInSandbox.
• Fixed a high-severity RCE vulnerability.

6.0.0-alpha.7

• Added a new core Markdown field (#18960)
• Added a way for fields to track references and register a deletion blocker for them (#19014)
• Added CraftCms\Cms\Validation\Events\ValidationRulesResolving::$ruleset.
• Relaxed the allowed types in the ValidationRulesResolving event to include any implementation ValidatesWithRuleset or a Illuminate\Http\Request object.
• Renamed CraftCms\Cms\Validation\Events\ValidationRulesResolving::$component to $subject.
• Relocated CraftCms\Cms\Element\Validation\Events\ValidationRulesResolving to CraftCms\Cms\Validation\Events\ to reflect its broader applicability to components and rulesets.
• Fixed errors that could occur when Craft user elements were expected but the authenticated user was resolved as a Laravel user model. (#19051)
• Fixed a bug where the craft:install command would hang if run within a production environment.
• Fixed a bug where “Replace relation” action buttons weren’t working.
• Fixed a “Invalid URL” JavaScript error in the control panel. (#19041)
• Fixed an error that could occur during Craft 6 upgrades when legacy relational or Matrix field settings included showCardsInGrid. (#19047)
• Fixed a bug where queue job progress labels weren’t getting translated.
• Fixed a bug where the control panel sidebar and Queue Manager were showing completed jobs.
• Fixed a bug where CraftCms\Yii2Adapter\Mixins\ValidateMixin::addErrors() had incorrect arguments. (#19065)
• Fixed a bug where plugin templates were not being loaded correctly
• Fixed a bug where query string params were getting registered as variables in Twig templates. (#19090)
• Fixed a bug where parsed site URLs would get saved to the project config. (#19092)

5.10.6

• Forward slashes in query strings are now encoded. (#19057)
• Added craft\controllers\EVENT_BEFORE_SAVE_IMAGE. (#19068)
• Added craft\events\SaveAssetImageEvent. (#19068)
• Added craft\web\Request::getPreviewParam().
• Updated Axios to 1.17.0. (#19053)
• Fixed a bug where no-cache and X-Robots-Tag: none headers weren’t always being sent for requests with x-craft-preview or x-craft-live-preview query string params. (#19060)
• Fixed a bug where the “Delete” element edit page action wasn’t working properly when editing a provisional draft.
• Fixed a bug where craft\helpers\App::parseEnv() wasn’t returning boolean values for environment variable names that resolved to true/false values. (#19029)
• Fixed a bug where the submit button within Live Preview was labelled “Submit” rather than “Save”. (#19056)
• Fixed a bug where the selected site wasn’t being remembered after saving an element. (#19054)
• Fixed a bug where transformed SVG images could have two sets of width and height attributes. (#1902w7)
• Fixed an infinite recursion bug. (#19063)
• Fixed a JavaScript error that could occur if there was an error rendering an element condition rule’s Twig template.
• Fixed a bug where relational fields’ element selector modals weren’t showing any results if they were configured to only relate to elements in a specific site, and the author didn’t have permission to access that site. (#19078)
• Fixed a bug where element cards were showing preview values for conditionally-hidden fields. (#19064)
• Fixed a bug where some bulk element actions could exhaust the memory limit on large selections. (#19070)
• Fixed a SQL error that could occur when uploading an asset, if it contained non-UTF-8 alt text in its metadata. (#19069)
• Fixed an error that could occur when editing an entry if a soft-deleted user had recently edited the same entry. (#19081)
• Fixed a PHP error that occurred when setting general config settings via config/general.console.php or config/general.web.php. (#19083)
• Fixed a bug where address cards would show “0, 0” for Longitude/Latitude values when neither field had been populated. (#19093)
• Fixed a bug where field conditions within Matrix blocks weren’t always working when editing the owner element in a slideout. (#19084)
• Fixed a bug where verification code inputs weren’t always getting autofilled by password managers. (#19094)
• Fixed a bug where the “Use defaults” button in element index view menus wasn’t being shown automatically after a column header was pressed on. (#19101)
• Fixed a styling issue.
• Fixed high-severity RCE vulnerabilities.
• Fixed a high-severity information disclosure vulnerability.
• Fixed a moderate-severity authorization bypass vulnerability.
• Fixed a low-severity information disclosure vulnerability.
• Fixed a low-severity potential path traversal vulnerability.

4.18.2

• Added craft\controllers\EVENT_BEFORE_SAVE_IMAGE. (#19068)
• Added craft\events\SaveAssetImageEvent. (#19068)
• Added craft\web\Request::getPreviewParam().
• Fixed a bug where no-cache and X-Robots-Tag: none headers weren’t always being sent for requests with x-craft-preview or x-craft-live-preview query string params. (#19060)
• Fixed high-severity RCE vulnerabilities.
• Fixed a high-severity information disclosure vulnerability.
• Fixed a moderate-severity authorization bypass vulnerability.
• Fixed a low-severity information disclosure vulnerability.
• Fixed a low-severity potential path traversal vulnerability.

6.0.0-alpha.6

• Improved the accessibility of the Login page. (#19025)
• Added CraftCms\Cms\User\Contracts\CraftUser and CraftUserTrait. (#19009)
• Removed CraftCms\Cms\Auth\UserProvider; the Craft guard now defaults to Laravel’s Eloquent provider using CraftCms\Cms\User\Models\User. (#19009)
• Added Auth::craftUser()/auth('craft')->craftUser() and request()->craftUser() as Craft-safe ways to access the authenticated user. (#19009)
• Element::getIterator() no longer includes custom field values. (#19004)
• Fixed a bug where checking the elevated session timeout could overwrite newer session data, which could prevent passkeys from being created.
• Fixed a bug where legacy plugin-defined actions.php routes could collide between plugins. (#18994)
• Fixed a bug where JavaScript and CSS registered by utility pages weren’t executed when navigating between utility pages, and weren’t cleaned up when navigating away. (#18978)
• Fixed a bug where custom element authorization methods weren’t respected by Laravel element policies. (#18983)
• Fixed a bug where removing all permissions from a user wouldn’t save. (#18995)
• Fixed a bug where Single sections had Max Authors settings. (#19001)
• Fixed a bug where Channel and Structure sections didn’t have Max Authors settings. (#19001)
• Fixed a bug where sections’ Min Authors settings were defaulting to 1 when blank. (#19001)
• Fixes a bug where the “View entry” permission was listed twice for Single sections, causing a SQL error when both were selected. (#19002)
• Fixes a bug where user group handles weren’t getting auto-generated. (#19002)
• Fixed a JavaScript error that could occur in the Control Panel when a custom element was registered more than once.
• Fixed a bug where Control Panel action menu items could trigger their action twice when clicked.
• Fixed a bug where legacy Control Panel JavaScript wasn’t loaded and initialized on all Control Panel pages.
• Fixed a styling issue with user avatars.

5.10.5

• Added craft\base\ElementInterface::afterAssignedId().
• Fixed an error that occurred when executing the users/remove-2fa command non-interactively, if --method wasn’t provided. (#18724)
• Fixed a bug where Link fields weren’t getting updated when the “Replace relations” element deletion option was chosen. (#18992)
• Fixed a bug where it wasn’t always possible to select new categories or entries in relation fields. (#18976)
• Fixed a bug where Checkboxes and Multi-select fields weren’t handling :empty:/:notempty: params properly. (#18988, #19019)
• Fixed a bug where entries with {id} in their Default Title Format weren’t always getting created with the correct generated title. (#18991)
• Fixed an infinite recursion bug that could occur when rendering sandboxed Twig templates. (#19004)
• Fixed a styling issue. (#19010)
• Fixed a moderate-severity authorization bypass vulnerability.
• Fixed a low-severity object injection vulnerability.

5.10.4.1

• Fixed a bug where an empty @storage/runtime directory could be created within the webroot. (#18986)

6.0.0-alpha.5

• Improved emoji shortcode handling performance for strings without shortcode delimiters.
• Improved element query performance by caching element source table column listings in memory.
• Improved nested entry type resolution by avoiding unnecessary owner element queries.
• Added Laravel event dispatching to Craft’s Yiisoft\Translator\Translator instance, enabling Yiisoft\Translator\Event\MissingTranslationEvent listeners. (#18952)
• The loginPath config setting is now false by default.
• Renamed the PluginsLoaded event to PluginsRegistered. (#18973)
• Updated Twig to 3.27. (#18980)
• Fixed some errors that could occur when running Craft through Laravel Octane (#18921)
• Fixed an error that occurred when rendering the database update screen outside Control Panel template mode.
• Fixed an error that occurred when Redis was configured as the session driver.
• Fixed a bug where legacy Control Panel URL rules couldn’t route directly to templates. (#18972)
• Fixed an error that could occur when request context was dehydrated after a matched element route was resolved.
• Fixed a bug where CraftCms\Cms\Support\Typecast could skip setters that used a same-name private backing property.
• Fixed a bug where CraftCms\Cms\Support\Typecast could attempt to assign read-only, private-set, protected-set, or setterless virtual properties.
• Fixed a bug where publishable Craft assets were registered during web requests.
• Fixed a bug where eager-loading didn’t treat address, content block, and entry queries as nested element queries.
• Fixed a bug where lazy eager-loading nested element fields could reuse owner criteria and return the wrong elements.
• Fixed an error that occurred when Updates were cached and deserialized.
• Fixed an error that prevented link fields from saving.
• Fixed a bug where Money fields could throw an error during element validation when the field value was falsy.
• Fixed a bug where CraftCms\Cms\Validation\Contracts\Validatable::prepareForValidation() wasn’t called consistently, and plain Validatable classes without a configured ruleset couldn’t be validated. (#18944)
• Fixed a bug where invalid element query filters could return all results. (#18937)
• Fixed an error that occurred when uploading assets to fields with dynamic default upload locations. (#18949)
• Fixed a bug where Craft could look for the license key in config/license.key instead of config/craft/license.key.
• Fixed a styling issue that occurred when editable table cells had a code class. (#18900)