• GraphQL API requests no longer get cache response headers; only no-cache headers, and only if the request had a X-Craft-Gql-Cache: no-cache header, or if the request contained any mutations. (#18348)
• config/twig-sandbox.php can now include an allowedClasses array, with class names whose entire collection of properties and methods should be allowed in sandboxed Twig environments.
• craft\base\ElementInterface, craft\fields\data\ColorData, craft\fields\data\MultiOptionsFieldData, craft\fields\data\OptionData, and yii\base\Event are now allowed in their entirety within sandboxed Twig environments.
• Fixed a bug where Dashboard columns weren’t getting refreshed when the window was resized. (#18389)
• Fixed a bug where craft\web\View::renderSandboxedObjectTemplate() and renderSandboxedString() weren’t properly sandboxing templates rendered from the control panel.
• Fixed a low-severity XSS vulnerability. (GHSA-fvwq-45qv-xvhv)
• Fixed a low-severity information disclosure vulnerability. (GHSA-vg3j-hpm9-8v5v)