Content: Blog

Release

django CMS 5.0.9 released: security, accessibility, and stability improvements

Fabian Braun

July 10, 2026

This release addresses three medium-severity security vulnerabilities and includes improvements to accessibility, Django compatibility, permissions, Content Security Policy support, and general editor stability.

We recommend that all django CMS users upgrade to version 5.0.9 as soon as possible.

Upgrade to django CMS 5.0.9

Update the django CMS requirement in your project and install the new release:

pip install --upgrade "django-cms>=5.0.9"

As always, back up your database before upgrading and review the release notes for every version between your current installation and 5.0.9.

After installing the update, apply any outstanding migrations:

python manage.py migrate

Security fixes

django CMS 5.0.9 fixes three medium-severity security issues affecting installations with staff users or delegated editorial permissions.

Stored XSS in plugin exception rendering

When a plugin failed while being rendered in edit mode, django CMS displayed an exception block to help editors identify the problem. Some values used to build the exception heading were inserted into HTML without sufficient escaping.

A malicious editor who could store HTML in a plugin description or related value could potentially cause that HTML to execute in another staff user’s browser when the plugin subsequently raised a rendering exception.

Version 5.0.9 now safely escapes the exception heading before it is included in the editing interface.

→  Advisory

Page duplication access-control bypass

The page duplication form did not adequately validate whether an editor was authorized to view the source page supplied in the request.

A staff user with permission to create pages could potentially duplicate content from a restricted page, including a page belonging to another site. Because the resulting copy did not retain the source page’s view restrictions, this could expose otherwise inaccessible plugin content.

django CMS 5.0.9 adds an object-level permission check for the source page before duplication is allowed.

→ Advisory

Unauthorized placeholder-structure access

The frontend-editing structure endpoint did not consistently enforce object-level authorization for models other than PageContent.

A low-privileged staff user could inspect the placeholder and plugin structure of a frontend-editable object they were not authorized to change. Depending on the project and its plugins, this could reveal placeholder names, plugin identifiers, layout information, or the existence of restricted objects.

The endpoint now checks the user’s permission to change the target object and returns a 404 response when access is not permitted.

→  Advisory

We thank the security researchers who reported these issues responsibly.

Improved wizard accessibility

This release improves the accessibility of django CMS wizards, making their controls and behavior easier to understand and navigate with assistive technologies.

Accessibility remains an important part of our work to ensure that django CMS provides an effective editing experience for everyone.

Compatibility with newer Django admin styles

django CMS 5.0.9 adds support for the breadcrumb styles introduced in Django 6.1 and later.

This keeps the django CMS administration interface visually aligned with newer Django versions and prevents styling regressions as projects update their Django installation.

More resilient plugin positions

Invalid or corrupted plugin positions, introduced by third-party plugins, for example, could previously lead to editing failures and require manual database repair.

Version 5.0.9 can automatically detect and heal affected plugin positions. This makes plugin operations more resilient and helps existing projects recover from inconsistent position data without manual intervention.

Stronger permissions and validation

Several related areas have been hardened:

  • Page duplication now validates access to the source page.
  • Group-permission handling has been strengthened.
  • URL validation covers additional edge cases and bypass attempts.
  • Placeholder structure access now consistently applies object-level authorization.

These changes are particularly important for installations that delegate editing responsibilities across multiple teams, sites, or restricted page trees.

Better Content Security Policy compatibility

django CMS continues to reduce its reliance on inline JavaScript and CSS.

This release replaces simgular remaining inline code that could be blocked by a strict Content Security Policy. Projects using CSP can therefore operate the editing interface with fewer exceptions or unsafe policy directives.

Additional fixes

django CMS 5.0.9 also resolves several editor and administration issues:

  • The language selector could activate the wrong toolbar.
  • The subpage wizard could fail.
  • Page titles were not always escaped in rendering-error messages.
  • The clipboard could be cleared through an inappropriate GET request.
  • Plugin child-class information was cached incorrectly.
  • Several permission and validation edge cases have been addressed.

Thank you

django CMS 5.0.9 includes 14 pull requests. Thank you to everyone who reviewed, tested, reported issues, and helped prepare this release.

Special thanks go to the security researchers who worked with us through responsible disclosure. This cooperation helps keep the entire django CMS community secure.

Read the complete release notes


Do you want to test django CMS?

Try django CMS