Announcing Concrete CMS 9.4.3 and 8.5.21

Announcing Concrete CMS 9.4.3 and 8.5.21

Aug 6, 2025
by jessicadunbar

We're excited to release Concrete CMS 9.4.3 and 8.5.21, bringing refinements that enhance content workflows, developer tooling, and system security.

Enhancements in 9.4.3

The File Details page now includes more accurate file usage reporting across a broader range of blocks.

  • RSS feeds created in the Dashboard now include a direct link to view the feed contents, improving accessibility during development and testing.
  • Files flagged as inline viewable will no longer download if they can't actually be viewed inline, preventing unintended file downloads.
  • Page version comparisons are now consistently sorted to ensure that older versions are always compared against newer ones.
  • A new Dashboard option allows stack backgrounds to be toggled to black or white for better content visibility while editing.

Bug Fixes

  • Multiple fixes have been made to the content import/export system.
  • Sites configured to use a proxy server now apply those settings correctly for HTTPS URLs and for downloading marketplace add-ons and updates.
  • Mobile editing now displays the toolbar page icon correctly on the frontend.
  • Bulk assignment of new page attributes via Page Search now works without error.
  • Option List attributes defined via CIF or custom code are now assigned correctly.
  • Submitting long comments on page versions no longer causes database errors.

Developer Updates

  • Import/export support has been extended to additional block types, including complex blocks like Calendar.
  • Translations have been refined for greater consistency.
  • Legacy functions that are now natively supported in PHP have been marked as deprecated.
  • A new event, on_add_canonical_page_path, has been introduced for better integration with routing logic.
  • A bug affecting the c5:ide-symbols console command in certain environments has been resolved.

8.5.21 Release

Version 8.5.21 includes critical security fixes and bug resolutions also addressed in 9.4.3, including:

  • Correct proxy behavior for HTTPS and marketplace interactions
  • Bug fixes for content import/export and attribute handling
  • Resolution of CVE-2025-8571, the reflected XSS issue in the Dashboard

Security Fixes for 9.4.3 and 8.5.21

  • CVE-2025-8571: A reflected XSS vulnerability in the Conversation Messages Dashboard page has been resolved by improving sanitization logic.
    CVSS v4.0 Score: 4.8
  • CVE-2025-8573: A stored XSS vulnerability on the Members Dashboard page, triggered by malicious folder paths, has been patched. This only affected version 9.
    CVSS v4.0 Score: 2.8
  • Pasting HTML into the content editor now behaves consistently, ensuring content is stored and displayed correctly.

For full security details, visit the Concrete CMS security blog.

To explore everything version 9 has to offer, visit concretecms.org/9.