We’re excited to roll out Concrete CMS 9.4.0RC2 and 8.5.20 – two big releases packed with thoughtful enhancements, developer upgrades, and important security updates. Whether you're a content editor, site admin, or developer, these updates bring more efficiency, reliability, and control to your Concrete experience.
Announcing CMS 9.4.0RC2 and 8.5.20 Releases
Apr 4, 2025
by
We’re excited to roll out Concrete CMS 9.4.0RC2 and 8.5.20 – two big releases packed with thoughtful enhancements, developer upgrades, and important security updates. Whether you're a content editor, site admin, or developer, these updates bring more efficiency, reliability, and control to your Concrete experience.
What's New in 9.4.0RC2
Concrete CMS 9.4.0RC2 is a Release Candidate (RC) version, meaning it’s a nearly complete version of 9.4.0, intended for final testing before the full stable release. While this is not a production-ready release, we encourage developers and site administrators to test it and report any issues.
If no major issues arise, we anticipate a full release of 9.4.0 in the coming weeks.
9.4.0RC2 New Features & Enhancements
- Dark Mode Support: Concrete now respects OS-wide dark mode settings. Switch manually or let your OS decide.
- Improved Dashboard Appearance: A revamped Appearance page consolidates Accessibility settings and introduces Open Graph integration.
- Better Content Import/Export: Now supports multilingual page mapping, external links, and more.
- Bulk Edit Tools: Update caching settings, page templates, themes, and page types in bulk from Dashboard Page Search.
- Error Handling Overhaul: Cleaner error messages and detailed debugging options.
- Improved Logging: See user links in logs, page identifiers, and more structured log messages.
- Boards & Tasks: Boards auto-refresh when content changes; batch tasks are now more resilient.
- Social & SEO Improvements: Open Graph support is now core. Also, welcome Bluesky to Social Links!
Behavioral Improvements
- Concrete is tested under PHP 8.4.
- Significant performance improvements for external file storage (e.g., AWS S3).
- More friendly scheduling UI for tasks.
- Better Express form error handling, RSS ATOM feed support, and admin flexibility for sitemap edits.
- Enhanced localization with improved edit-mode translations and absolute URL support when needed.
Developer Upgrades
- Add JSON configs to import XML.
- Lazy loading support in html/image service.
- Better CLI task feedback (e.g., task:reindex-content replaces deprecated c5:reindex).
- Cleaner output from content export APIs and enhanced config import options.
Security Fixes
- CVE-2025-0660 – Stored XSS in Folder Function: Resolved through sanitization of folder names and improved permission handling.
- CVSS Score: 4.8 (Moderate)
- Thanks to Alfin Joseph via HackerOne.
- Fixed unsanitized address custom attributes in specific rendering conditions.
Read the full 9.4.0RC2 release notes:
See security blog post:
8.5.20 Release Highlights
New Features
- File Manager now lets you control result count directly – no need to open Advanced Search!
- New options for Express Forms: set a custom "from" email per block and delete all entries without removing the object.
- CKEditor upgraded to 4.12 with Placeholder plugin support.
- Background color options for thumbnails and image editor added.
- Page Attribute block supports custom templates.
- ReCaptcha is now core.
Behavioral Improvements
- Improved Express form UX, dashboard UI, RTL language support, and file upload reliability.
- New options for configuring trusted proxy headers and email settings.
- CMS now prevents logout during long editing sessions and better handles caching, RSS feeds, and file manager interactions.
Bug Fixes
Hundreds of critical and edge-case bug fixes:
- Express form errors
- Page caching under multisite
- Calendar display issues
- File downloads, image uploads, and localization errors
- Fixes across the Dashboard, composer, search presets, and installation flows
Developer Improvements
- New helper methods, better PHP 8 support, updated libraries (Bootstrap, jQuery UI, phpseclib, etc.)
- New events like on_page_alias_add and on_page_alias_delete
- DestinationPicker widget and Spectrum color picker updates
Read the full 9.4.0RC2 release notes:
See security blog post:
For the full list of new features in version 9, visit our landing page:
👉 https://www.concretecms.org/9
As always, a huge thank you to our incredible community and contributors who made these releases possible. Happy updating!