????
Your IP : 216.73.217.111
# v1.7.53
## 06/16/2026
1. [](#bugfix)
* [security] Direct web access to the `user/accounts`, `user/config`, `user/data` and `user/env` folders is now blocked outright in every bundled webserver config, closing a hole where files such as certificates, tokens and databases stored under `user/data` with an unlisted extension could be downloaded directly.
* [security] A backup deny-all `.htaccess` now ships inside `user/accounts`, `user/config` and `user/data` so Apache installs stay protected even when the site root `.htaccess` has been customised or is out of date.
* [security] The upgrade postflight now patches an existing stock root `.htaccess` to add the folder block automatically, so installs that updated from an earlier version are protected without editing the file by hand.
* [security] URL query image transforms (such as `image.jpg?resize=`) are now turned off by default and, when enabled, refuse oversized dimensions above a configurable pixel limit, closing an unauthenticated denial of service where huge resize values could exhaust server memory.
# v1.7.52
## 04/29/2026
1. [](#new)
* GPM client now sends the running PHP version with index requests so the server can substitute PHP-aware compat fallbacks when a plugin's latest release requires a newer PHP than the client can run.
1. [](#bugfix)
* [security] Extended default `uploads_dangerous_extensions` to include `md`, `yaml`, `yml`, `json`, `twig`, `ini` — page-content extensions that can be weaponised via permissive form-upload `accept` policies (GHSA-w4rc-p66m-x6qq, defense-in-depth alongside the Form 9.1.0 plugin fix).
# v1.7.51
## 04/28/2026
1. [](#new)
* Added foundation for migrating to Grav 2.0: cross-major auto-upgrades are blocked in GPM, and core now surfaces a `next_major` hint so admin can point users at the new `migrate-grav` plugin
* Added `compatibility:` blueprint support so plugins/themes can declare which Grav versions they support
* Added self-upgrade preflight that flags incompatible plugins/themes and `psr/log` / Monolog conflicts before proceeding
* Added upgrade resilience with automatic maintenance mode and opcache reset during self-upgrade
* Added new `cache-cleanup` CLI command to prune obsolete cache entries
* Added new `onFlexDirectoryConfigBeforeSave` event for Flex
1. [](#improved)
* More readable time output in `bin/grav logviewer` [#4009](https://github.com/getgrav/grav/pull/4009)
* Removed legacy standalone binary build
* Updated vendor libraries to latest versions
1. [](#bugfix)
* Fixed `selectize` field losing values when keyed options were used
* Fixed wrong date output in `bin/grav logviewer` [#4007](https://github.com/getgrav/grav/pull/4007)
* Fixed undefined array key error triggered by URL-encoded characters in paths [#4012](https://github.com/getgrav/grav/pull/4012)
* Fixed assorted issues in the revamped scheduler
* Fixed `schedule` flag not being honored in backup profiles
* Fixed default-language loading when using the session-based language store
* Allow `lang` query parameter to switch back to the default language
# v1.7.49.5
## 09/10/2025
1. [](#bugfix)
* Backup not honoring ignored paths [#3952](https://github.com/getgrav/grav/issues/3952)
# v1.7.49.4
## 09/03/2025
1. [](#bugfix)
* Fixed cron force running jobs severy minute! [#3951](https://github.com/getgrav/grav/issues/3951)
# v1.7.49.3
## 09/02/2025
1. [](#bugfix)
* Fixed an error in ZipArchive that was causing issues on some systems
* Fixed namespace change for `Cron\Expression`
* Removed broken cron install field... use 'instructions' instead
* Fixed duplicate jobs listing in some CLI commands
# v1.7.49.2
## 08/28/2025
1. [](#bugfix)
* Fix translation of key for image adapter [#3944](https://github.com/getgrav/grav/pull/3944)
# v1.7.49.1
## 08/25/2025
1. [](#new)
* Rerelease to include all updated plugins/theme etc.