5.9.18

• Improved error logging when logging in with passkeys. (#18627)
• Added craft\controllers\ElementIndexesController::$fieldLayouts.
• craft\services\ElementSources::getTableAttributes() now has a $fieldLayouts argument.
• Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. (#18581)
• Fixed a bug where aria-activedescendant, aria-flowto, and aria-owns attributes weren’t getting namespaced by {% namespace %} tags. (#18577)
• Fixed a bug where sites with missing enabled values were being treated as enabled. (#18572)
• Fixed a bug where GraphQL fields within fragments weren’t getting eager-loaded if the fragment’s type condition referenced an interface (e.g. on EntryInterface) rather than a specific type name. (#18588)
• Fixed a bug where relation fields were getting marked as translatable if they used a custom translation method, even if the rendered translation key was blank. (#18580)
• Fixed a bug where section and field chips in the “Used by” column of the Entry Types index page weren’t getting hyperlinked. (#18589)
• Fixed a bug where exceptions thrown when sending emails weren’t getting handled properly. (#18597)
• Fixed a bug where unordered lists weren’t getting styled correctly within Tip/Warning/Markdown field layout UI elements. (#18598)
• Fixed an error that could occur when upgrading to Craft 5. (#18576)
• Fixed a bug where nested Matrix entries’ Title fields were getting validation errors if blank, even if the nested entry was disabled. (#18611)
• Fixed an infinite recursion bug that could occur if the loginPath, logoutPath, setPasswordPath, or verifyEmailPath config settings were set to a callable that called the sites service. (#18605)
• Fixed a bug where Matrix fields in Index view mode could be missing custom field columns. (#18590)
• Fixed a JavaScript error that could occur when opening a modal. (#18612)
• Fixed a bug where element chips and cards weren’t getting refreshed when a provisional draft’s changes were discarded in a different tab.
• Fixed a bug where element attributes weren’t always updating when content changes were made.
• Fixed a bug where successive edits to nested elements were forgotten. (#18624)
• Fixed a bug where nested elements weren’t getting duplicated when a new site was added to the owner element. (#18621)
• Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. (#18461)
• Fixed a SQL error that could occur when editing an element draft that had upstream changes. (#18626)
• Fixed a bug where custom sources’ labels weren’t being translated within the document title. (#18629)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-gj2p-p9m4-c8gw, GHSA-33m5-hqp9-97pw)
• Fixed a moderate-severity RCE vulnerability. (GHSA-qrgm-p9w5-rrfw)

4.17.12

• Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. (#18581)
• Fixed a bug where aria-activedescendant, aria-flowto, and aria-owns attributes weren’t getting namespaced by {% namespace %} tags. (#18577)
• Fixed a moderate-severity information disclosure vulnerability. (GHSA-gj2p-p9m4-c8gw)
• Fixed a moderate-severity RCE vulnerability. (GHSA-qrgm-p9w5-rrfw)

5.9.17

• Added craft\helpers\DateTimeHelper::testTimeToSeconds().
• Fixed an error that could occur after running the utils/fix-field-layout-uids command. (#18516)
• Fixed a JavaScript error that could occur if any field layout elements were configured with unsupported widths. (#18552)
• Fixed an error that could occur when user impersonation failed. (#18569)
• Fixed a bug where deeply-nested elements could be deleted unexpectedly. (#18537)
• Fixed a warning that was getting logged when using craft\filters\SiteFilterTrait.
• Fixed a bug where prefixing entry queries’ authorGroup params with and or not operators wasn’t working properly. (#18551)
• Fixed an error that could occur when running the gc command, if a Matrix field had been converted to an Addresses or Content Block field. (#18549)
• Fixed a styling issue. (#18566)
• Fixed a JavaScript error that could occur when Time fields’ Min/Max Time settings were set.

4.17.11

• Fixed an error that could occur after running the utils/fix-field-layout-uids command. (#18516)
• Fixed a JavaScript error that could occur if any field layout elements were configured with unsupported widths. (#18552)
• Fixed an error that could occur when user impersonation failed. (#18569)

5.9.16

• Updated @simplewebauthn/browser to 13.3.0. (#18545)
• Updated web-auth/webauthn-lib to 5.2.4. (#18545)
• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)
• Fixed a bug where craft\fields\data\LinkData::getUrl() was returning the URL suffix rather than an empty string, if the rendered base URL was an empty string.

4.17.10

• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)

5.9.15

• Element edit pages once again redirect to their referral URL on save. (#18483)
• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed an error that could occur when applying project config changes, or editing entries with an invalid entry type. (#18477, #18505)
• Fixed a bug where Content Block fields’ nested values weren’t always getting set correctly via resave commands. (#18453)
• Fixed a bug where addresses without labels weren’t getting chip labels. (#18481)
• Fixed a JavaScript error that could occur on element edit pages.
• Fixed a bug where cross-site validation errors weren’t preventing elements from getting saved. (#18292)
• Fixed a bug where failure messages when pasting elements weren’t getting displayed properly.
• Fixed a bug where craft\helpers\UrlHelper::cpReferralUrl() was returning the referrer URL even if it had the same URI as the current page. (#18483)
• Fixed a bug where Matrix field’ grouped entry type menu labels weren’t translatable. (#18528)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-jq2f-59pj-p3m3)

4.17.9

• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)

5.9.14

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Added craft\elements\Entry::canMove().
• Fixed a bug where element selector modals weren’t showing any results if they were limited to sources that only exist for a different site than the active one. (#18478)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
• Fixed a moderate-severity RCE vulnerability. (GHSA-86vw-x4ww-x467)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-f582-6gf6-gx4g)

4.17.8

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)