Bump craftcms/cms from 4.14.15 to 5.9.16

[dependabot]

Bumps craftcms/cms from 4.14.15 to 5.9.16.

Release notes

Sourced from craftcms/cms's releases.

5.9.16

• Updated @​simplewebauthn/browser to 13.3.0. (#18545)
• Updated web-auth/webauthn-lib to 5.2.4. (#18545)
• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)
• Fixed a bug where craft\fields\data\LinkData::getUrl() was returning the URL suffix rather than an empty string, if the rendered base URL was an empty string.

5.9.15

• Element edit pages once again redirect to their referral URL on save. (#18483)
• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed an error that could occur when applying project config changes, or editing entries with an invalid entry type. (#18477, #18505)
• Fixed a bug where Content Block fields’ nested values weren’t always getting set correctly via resave commands. (#18453)
• Fixed a bug where addresses without labels weren’t getting chip labels. (#18481)
• Fixed a JavaScript error that could occur on element edit pages.
• Fixed a bug where cross-site validation errors weren’t preventing elements from getting saved. (#18292)
• Fixed a bug where failure messages when pasting elements weren’t getting displayed properly.
• Fixed a bug where craft\helpers\UrlHelper::cpReferralUrl() was returning the referrer URL even if it had the same URI as the current page. (#18483)
• Fixed a bug where Matrix field’ grouped entry type menu labels weren’t translatable. (#18528)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-jq2f-59pj-p3m3)

5.9.14

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Added craft\elements\Entry::canMove().
• Fixed a bug where element selector modals weren’t showing any results if they were limited to sources that only exist for a different site than the active one. (#18478)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
• Fixed a moderate-severity RCE vulnerability. (GHSA-86vw-x4ww-x467)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-f582-6gf6-gx4g)

5.9.13

• The control panel is now translated into Greek. (#18458)
• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is now set to false by default for database connections.
• Fixed a bug where searchindex and searchindexqueue rows weren’t being deleted when an element was deleted for a site. (#18394)
• Fixed a bug where multi-select condition rules weren’t applying their “has a value” and “is empty” operators correctly. (#18470)
• Fixed an unintended change in behavior where craft\helpers\App::parseEnv() was returning null instad of an empty string, when an environment variable name was passed in, which was set to an empty string.
• Fixed a bug where drafts within “My Drafts” widgets weren’t getting hyperlinked. (#18456)
• Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. (#18461)
• Fixed a bug where the “New Tab” button within field layout designers could be positioned incorrectly. (#18450)
• Fixed a high-severity RCE vulnerability. (GHSA-2fph-6v5w-89hh)
• Fixed a low-severity path traversal vulnerability. (GHSA-472v-j2g4-g9h2)

... (truncated)

Changelog

Sourced from craftcms/cms's changelog.

5.9.16 - 2026-03-11

• Updated @​simplewebauthn/browser to 13.3.0. (#18545)
• Updated web-auth/webauthn-lib to 5.2.4. (#18545)
• Fixed an error that occurred when loading some control panel resources on environments with craft\web\AssetManager::$cacheSourcePaths disabled. (#18536)
• Fixed a bug where craft\fields\data\LinkData::getUrl() was returning the URL suffix rather than an empty string, if the rendered base URL was an empty string.
• Fixed a styling bug where horizontal rules could bleed out of their containing panes.

5.9.15 - 2026-03-09

• Element edit pages once again redirect to their referral URL on save. (#18483)
• Added craft\filters\IpRateLimitIdentity. (#18510)
• Added craft\helpers\App::resourcePathByUri().
• Removed thamtech/yii2-ratelimiter-advanced. (#18510)
• Fixed a bug where global set GraphQL query caches weren’t getting invalidated when global sets were updated. (#18479)
• Fixed a bug where users/suspend-user and users/unsuspend-user actions required that the logged-in user have control panel access. (#18485)
• Fixed a bug where flipping an image within the Image Editor didn’t always work. (#18486)
• Fixed a bug where SVG files missing their width and height attributes weren’t getting them set as expected.
• Fixed an error that occurred if a template referenced a preloaded Single entry followed by a null coalescing operator. (#18503)
• Fixed a bug where links within Redactor fields were getting target="_blank" added to them. (#18500)
• Fixed an error that could occur when applying project config changes, or editing entries with an invalid entry type. (#18477, #18505)
• Fixed a bug where Content Block fields’ nested values weren’t always getting set correctly via resave commands. (#18453)
• Fixed a bug where addresses without labels weren’t getting chip labels. (#18481)
• Fixed a JavaScript error that could occur on element edit pages.
• Fixed a bug where cross-site validation errors weren’t preventing elements from getting saved. (#18292)
• Fixed a bug where failure messages when pasting elements weren’t getting displayed properly.
• Fixed a bug where craft\helpers\UrlHelper::cpReferralUrl() was returning the referrer URL even if it had the same URI as the current page. (#18483)
• Fixed a bug where Matrix field’ grouped entry type menu labels weren’t translatable. (#18528)
• Fixed moderate-severity SSRF vulnerabilities. (GHSA-3m9m-24vh-39wx, GHSA-95wr-3f2v-v2wh)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-jq2f-59pj-p3m3)

5.9.14 - 2026-02-25

• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is no longer set by default for database connections. (#18474)
• Added craft\elements\Entry::canMove().
• Fixed a bug where element selector modals weren’t showing any results if they were limited to sources that only exist for a different site than the active one. (#18478)
• Fixed low-severity information disclosure vulnerabilities. (GHSA-44px-qjjc-xrhq, GHSA-vgjg-248p-rfm2, GHSA-x76w-8c62-48mg)
• Fixed a moderate-severity access control vulnerability. (GHSA-6mrr-q3pj-h53w)
• Fixed moderate-severity information disclosure vulnerabilities. (GHSA-3pvf-vxrv-hh9c, GHSA-5pgf-h923-m958)
• Fixed a moderate-severity RCE vulnerability. (GHSA-86vw-x4ww-x467)
• Fixed a moderate-severity authorization bypass vulnerability. (GHSA-f582-6gf6-gx4g)

5.9.13 - 2026-02-24

• The control panel is now translated into Greek. (#18458)
• The PDO::MYSQL_ATTR_MULTI_STATEMENTS attribute is now set to false by default for database connections.
• Fixed a bug where searchindex and searchindexqueue rows weren’t being deleted when an element was deleted for a site. (#18394)
• Fixed a bug where multi-select condition rules weren’t applying their “has a value” and “is empty” operators correctly. (#18470)
• Fixed an unintended change in behavior where craft\helpers\App::parseEnv() was returning null instad of an empty string, when an environment variable name was passed in, which was set to an empty string.
• Fixed a bug where drafts within “My Drafts” widgets weren’t getting hyperlinked. (#18456)

... (truncated)

Commits

• ed5323d Finish 5.9.16
• 5e2e5ed Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• 6e85b92 Finish 4.17.10
• eb38bb6 Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• 8bfe9a6 The URI doesn’t always start with a hash prefix
• d473c26 Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
• 9a3523d Fixed #18536
• 6f62627 Remove {% dump %}
• 7e96bc5 Release notes
• 93e1737 tweaks
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.