Version 4 supported
This version of Silverstripe CMS is still supported though will not receive any additional features. Go to documentation for the most recent stable version.


Change log


  • 2019-09-23 8b7063a8e Fix access escalation for CMS users with limited access through permission cache pollution (Serge Latyntcev) - See cve-2019-12617
  • 2019-09-16 eccfa9b10 Session fixation in "change password" form (Serge Latyntcev) - See cve-2019-12203
  • 2019-08-20 f98a59de install.php warning does not account for public dir (Aaron Carlino) - See cve-2019-12204
  • 2019-08-17 8c7a719 Broken access control on files due to session grant (Aaron Carlino) - See cve-2019-14273
  • 2019-05-21 73e0cc6 Fix incorrect access control vulnerability with unwritten files in protected folders (Robbie Averill) - See cve-2019-12245

Features and enhancements

  • 2019-09-18 1308911 Add task to remove/protect _versions folders (Aaron Carlino)


  • 2019-09-24 3659f2888 Add 'legal empty attributes' to allow empty alt values on i… (#9257) (Guy Marriott)
  • 2019-09-23 0d27f32cc Add 'legal empty attributes' to allow empty alt values on imgs (Garion Herman)
  • 2019-09-23 fc536fa Update Apache .htaccess for new access directives (Dylan Wagstaff)
  • 2019-09-20 ea363fc Correctly process all non-insert form actions normally in the media dialog (#1005) (Damian Mooyman)
  • 2019-09-16 6a1c6ecec Fix administrators not being able to see files that are restricted to groups (bergice)
  • 2019-09-10 591b88a9b Allow infinite loop when calling DataObject::writeComponent() recursively (Maxime Rainville)
  • 2019-09-03 b0a6973 Remove Default DropzoneJS Timeout of 30s (#985) (Joe Harvey)
  • 2019-09-02 9f19a9b make the actions consistent on the grid field items to what they look like on pages (#242) (Andre Kiste)
  • 2019-08-29 194ec84 content block editing breaking when editing using IE11 by adding Event constructor polyfill (bergice)
  • 2019-08-29 77ba8391c Byte Order Marks (BOM) are now stripped when importing CSV files (Robbie Averill)
  • 2019-08-28 73f43c6f4 Remove placeholder text on new group form (Maxime Rainville)
  • 2019-08-27 2f8d847a1 make the grid field actions consistent to what they look like on pages (bergice)
  • 2019-08-26 d2a07b104 Remove error when exporting a column that is not displayed in a GridField (Will Rossiter)
  • 2019-08-26 314a906 Fix the jstree styles so that the selected states are more visible (bergice)
  • 2019-08-26 8b22e3b Update LegacyThumbnailMigrationHelper to carry on if it hits a fileID it can't parse (Maxime Rainville)
  • 2019-08-23 5845ac6 Prevent breadcrumb item styles from bleeding into non-react (Maxime Rainville)
  • 2019-08-23 94d6c80 enter to submit form not working on Add new page (bergice)
  • 2019-08-22 841c855 Ensure dataobjects are unpublished during the delete mutation (Guy Marriott)
  • 2019-08-22 4cb4d46 react-select clears input on search. Monkey patch, needs upgrade (Aaron Carlino)
  • 2019-08-18 ab4ccb8 Update LegacyFileIDHelper to understand pre-SS33 variant FileID (Maxime Rainville)
  • 2019-08-13 1c548cb jstree state when saving a page by retaining the open/closed state and selected node state. (bergice)
  • 2019-07-29 0abfed3e0 Skip md5-ing the whole contents of a stream for etags (Guy Marriott)
  • 2019-04-12 7592db91 VirtualPage missing methods from target page (fixes #2408) (Loz Calver)