• The utils/fix-field-layout-uids command now checks for duplicate top-level field layout UUIDs. (#18193)
• Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. (craftcms/commerce#4006)
• Fixed a bug where custom selects could be positioned incorrectly after the window was resized. (#18179)
• Fixed an error that could occur when logging a deprecation warning, if the backtrace contained any non-UTF-8-encoded strings. (#18218)
• Fixed a bug where it wasn’t possible to view assets if they had exactly 50 subfolders alongside them. (#18213)
• Fixed SSRF vulnerabilities. (GHSA-96pq-hxpw-rgh8, GHSA-m5r2-8p9x-hp5m, GHSA-8jr8-7hr4-vhfx)
• Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
• Fixed an XSS vulnerability. (GHSA-9f5h-mmq6-2x78)
• Fixed a permission escalation vulnerability. (GHSA-fxp3-g6gw-4r4v)
• Fixed an RCE vulnerability. (GHSA-7jx7-3846-m7w7)