• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Added craft\elements\Entry::canMove().
• Fixed a bug where element selector modals weren’t showing any results if they were limited to sources that only exist for a different site than the active one. (#18478)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
• Fixed a moderate-severity RCE vulnerability. (GHSA-86vw-x4ww-x467)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-f582-6gf6-gx4g)