Announcing Concrete CMS 9.4.0 Release

New Features

Theme and Appearance Enhancements

• The Atomik theme now includes five new skins, including Midnight Velvet, a dark color variant.
• Assign different skins for light and dark modes, responding to user OS/browser preferences.
• New Appearance Dashboard page replaces the old Accessibility section.
• CMS and Dashboard support a global dark mode with light, dark, or automatic options.

Bulk Page Editing in the Dashboard

• Bulk edit page type, template, theme, and caching settings from the Page Search interface.

Open Graph Support

• Enable Open Graph globally from a new Dashboard page.
• Map attributes to og:title, og:description, og:type, and og:thumbnail.
• Optionally include a Facebook App ID.

Task Resiliency Improvements

• Tasks continue even if individual items fail.
• Errors are logged to CLI, activity logs, system logs, and Messenger queues.
• New "Manage Processes" page helps inspect and clear stuck tasks.
• Supports real-time feedback with Mercure, and respects Symfony verbosity.

Boards Auto-Refresh and Regeneration

• Boards automatically regenerate when related content is added or edited.
• Works with events, calendar items, and page changes.
• Preserves pin slots and custom logic during regeneration.
• Runs asynchronously and intelligently avoids unnecessary refreshes.

Content Import/Export Improvements

• Better multilingual page mapping, external links, and page paths support.
• Import config supports storage driver settings and overwrite behavior.
• Improved import/export for stacks, blocks, and Express objects.

File Manager and Download Tracking

• New "Total File Downloads" column added to File Manager.
• Improved download tracking for Document Library links.

New Developer Options and Configuration Keys

• misc.img_src_absolute (default: false) now controls asset URL format.
• c5:boards:refresh no longer requires --regenerate; it's the default.
• c5:reindex command removed. Use task:reindex-content instead.
• Support for JSON strings in config import.
• Blocks now export null values and preserve zeroes correctly.

CMS and Performance Enhancements

• Tested and compatible with PHP 8.4.
• Performance improvements to PageList, AWS S3, stack/style set loading, and gallery blocks.
• Admins can now add pages beneath system pages in the sitemap.
• RSS Displayer block now supports ATOM feeds.

User Interface and Experience Improvements

• Better feedback on language updates in the Dashboard.
• Publish start date is now required when enabled to avoid accidental publishing.
• Better handling of Express forms, block exports, and calendar events.

Social Integration

• Bluesky added to Social Links block.

Security Fixes

CVE-2025-0660 Stored XSS in Folder Function

• Sanitization added to folder selector dropdown to prevent stored XSS.
• Affects version 9 only. CVSS v4.0 score: 4.8.

CVE-2025-3153 CSRF and XSS in Address Attribute

• Fixed CSRF/XSS in address fields with no selected country.
• Only new data after the update is sanitized. CVSS v4.0 score: 5.1.

See the security release blog post for full details.

Bug Fixes

• Improved Redis compatibility and file manager folder handling.
• Fixes for Express object renaming, block rendering, stack imports, and legacy form exports.
• Resolved issues with RSS feeds, migration snippets, and multilingual aliases.

Developer Tooling

• package-pack now excludes phpunit.xml and test directories.
• Task output now streams correctly in real time.
• Improved error visibility and trace output in CLI.

Backward Compatibility Notes

• c5:boards:refresh --regenerate no longer valid; regeneration is now default.
• c5:reindex command removed. Use task:reindex-content.

View the complete version 9 feature set at: https://www.concretecms.org/9