5.0.8 release notes¶
June 9, 2026
Welcome to django CMS 5.0.8!
These release notes cover the new features, as well as some backwards incompatible changes you’ll want to be aware of when upgrading from django CMS 4.1 or earlier. We’ve begun the deprecation process for some features.
Django and Python compatibility¶
django CMS supports Django 4.2, 5.0, 5.1, 5.2, and 6.0. We highly recommend and only support the latest release of each series.
It supports Python 3.10, 3.11, 3.12, 3.13. As for Django we highly recommend and only support the latest release of each series.
How to upgrade to 5.0.8¶
Update your project’s requirements.txt file to require (at least) django CMS 5.0.8 and
run pip install -r requirements.txt.
If you are upgrading from an earlier version of django CMS, read the release notes for all the versions between your current version and this one. Check the release notes for each version to see if there are any special instructions.
Run migrations:
python -m manage migrate
What’s new in 5.0.8¶
Security Fixes¶
This release fixes two security issues. We recommend that all users upgrade as soon as possible.
Missing authorization on structure, move and clipboard endpoints (#8644). The placeholder structure, plugin move, and clipboard endpoints did not consistently enforce permission checks. This could allow users without the required permissions to read or manipulate plugins on a page. Authorization is now enforced on these endpoints.
Plugin-declared Vary headers ignored in the page cache key (#8646). The page cache key did not honour
Varyheaders declared by plugins. As a result cached responses could be served to requests that should have received a different, varied response (for example content that varies by cookie or other request headers). Plugin-declaredVaryheaders are now included in the cache key.
Many thanks to the security researchers who responsibly reported these issues: @mauriceng98, @lzhou1110, @Zyy0530, @Str1ckl4nd, and @7thParkk.
Note
As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at security@django-cms.org. Please do not report security issues on the public issue tracker or any mailing list. See our security policy for details.
Bug Fixes:¶
Enforce authorization on structure, move and clipboard endpoints (#8644) (#8645) (7642a98ab) – Fabian Braun
GrouperModelAdmin shadowed prepopulated_fields class attribute (#8636) (#8639) (1b164a488) – Fabian Braun
Honour plugin-declared Vary headers in the page cache key (#8646) (#8647) (d5dc1efa1) – Fabian Braun
Missing redirect_url in CMSNavigationNode.attr (#8625) (f975cace5) – Venelin Stoykov
Release script dropped changes (#8655) (23df299bd) – Fabian Braun
Slugs of published pages could be changed (#8640) (#8654) (9fed876a0) – Fabian Braun
Transifex upload script failed (#8656) (936a620ef) – Fabian Braun
template-specific CMS_PLACEHOLDER_CONF keys ignored when rendering page placeholders (#8652) (c7424f7f2) – Ralph
Correct lookup prefix and register length lookup in PermissionTuple.allow_list()
Use loop variable instead of queryset in user_can_delete_page placeholder check
Return 404 instead of 500 for missing objects in delete_view and edit_title_fields
Use target language for position shift and cache clearing in _paste_placeholder
Statistics:¶
This release includes 14 pull requests, and was created with the help of the following contributors (in alphabetical order):
Fabian Braun (8 pull requests)
Ralph (1 pull request)
Venelin Stoykov (1 pull request)
With the review help of the following contributors:
Fabian Braun
Vinit Kumar
Thanks to all contributors for their efforts!