- Updated core asset I/O to resolve Craft filesystem definitions and configured storage targets through Laravel filesystem disks.
- Updated elevated session prompts to use the modern control panel frontend while preserving the legacy JavaScript APIs.
- Login attempts are now rate limited.
- Added
Illuminate\Contracts\Translation\HasLocalePreferencesupport to user elements, allowing Laravel notifications to use users’ Language preferences. (#19228) - Fixed a bug where site routes weren't being registered for each localized site value.
- Fixed a bug where POST requests to the
loginPathweren’t being handled properly. (#19220) - Fixed a bug where users were redirected to the previous page on logout. (#19220)
- Fixed a bug where requests to the
loginPath,setPasswordPath, andverifyEmailPathwere getting redirected to the control panel. (#19229) - Fixed a bug where Laravel translation fallbacks weren’t applied when
translationDebugOutputwas enabled. (#19228) - Fixed a bug where custom plugin settings
FormRequestclasses could persist unvalidated settings. (#19228) - Fixed a bug where failed Craft API responses weren’t processing response headers. (#19228)
- Fixed a bug where Craft plugin service providers could be skipped when the plugin’s Composer metadata also defined Laravel package discovery settings. (#19228)
- Fixed a bug where event-registered user permissions weren’t getting saved. (#19232)
- Fixed lifecycle leaks where asset, GraphQL, route token, user, and user permission state could persist in long-running application processes. (#19242)
- Fixed moderate-severity authorization bypass vulnerabilities.
- Fixed a low-severity authorization bypass vulnerability.
- Fixed a low-severity XSS vulnerability.