update changelog

Signed-off-by: Andy Miller <rhuk@mac.com>
2025-12-05 15:29:57 +01:00 · 2025-11-29 21:18:57 -07:00
parent a4c3a3af6d
commit 528032b11a
2 changed files with 18 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,20 @@
+# v1.8.0-beta.27
+## mm/dd/2025
+
+1. [](#improved)
+    * Hardened Twig sandbox with expanded blacklist blocking 150+ dangerous functions and attack patterns
+    * Added static regex caching in Security class for improved performance
+    * Added path traversal protection to backup root configuration
+    * Added validation for language codes to prevent regex injection DoS
+1. [](#bugfix)
+    * Fixed path traversal vulnerability in username during account creation
+    * Fixed username uniqueness bypass allowing duplicate accounts
+    * Fixed arbitrary file read via `read_file()` Twig function
+    * Fixed DoS via malformed cron expressions in scheduler
+    * Fixed password hash exposure to frontend via JSON serialization
+    * Fixed email disclosure in user edit page title
+    * Fixed XSS via `isindex` tag bypass (CVE-2023-31506)
+
 # v1.8.0-beta.26
 ## 11/29/2025

--- a/system/defines.php
+++ b/system/defines.php
@@ -9,7 +9,7 @@

 // Some standard defines
 define('GRAV', true);
-define('GRAV_VERSION', '1.8.0-beta.26');
+define('GRAV_VERSION', '1.8.0-beta.27');
 define('GRAV_SCHEMA', '1.8.0_2025-09-21_0');
 define('GRAV_TESTING', true);