Merge branch '5.x' into advisory-fix-1

# Conflicts:
#	CHANGELOG.md

Author: brandonkelly

CHANGELOG.md

@@ -2,8 +2,16 @@
 
 ## Unreleased
 
+- The control panel is now translated into Greek. ([#18458](https://github.com/craftcms/cms/pull/18458))
+- The `PDO::MYSQL_ATTR_MULTI_STATEMENTS` attribute is now set to `false` by default for database connections.
+- Fixed a bug where `searchindex` and `searchindexqueue` rows weren’t being deleted when an element was deleted for a site. ([#18394](https://github.com/craftcms/cms/issues/18394))
+- Fixed a bug where multi-select condition rules weren’t applying their “has a value” and “is empty” operators correctly. ([#18470](https://github.com/craftcms/cms/pull/18470))
 - Fixed an unintended change in behavior where `craft\helpers\App::parseEnv()` was returning `null` instad of an empty string, when an environment variable name was passed in, which was set to an empty string.
+- Fixed a bug where drafts within “My Drafts” widgets weren’t getting hyperlinked. ([#18456](https://github.com/craftcms/cms/issues/18456))
+- Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. ([#18461](https://github.com/craftcms/cms/issues/18461))
+- Fixed a bug where the “New Tab” button within field layout designers could be positioned incorrectly. ([#18450](https://github.com/craftcms/cms/issues/18450))
 - Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. ([GHSA-2fph-6v5w-89hh](https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh))
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) path traversal vulnerability. (GHSA-472v-j2g4-g9h2)
 
 ## 5.9.12 - 2026-02-18
 
@@ -380,9 +388,9 @@
 - Fixed a bug where verification emails weren’t getting sent when a user without the “Administrate users” permission changed a user account’s email address.
 - Fixed a bug where MP3 files weren’t always being properly recognized. ([#18243](https://github.com/craftcms/cms/issues/18243))
 - Fixed a bug where deeply-nested slideouts could cause visual glitches in Chromium-based browsers. ([#18255](https://github.com/craftcms/cms/issues/18255))
-- Fixed [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerabilities. (GHSA-6j87-m5qx-9fqp, GHSA-3jh3-prx3-w6wc)
-- Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SSRF vulnerabilities. (GHSA-gp2f-7wcm-5fhx, GHSA-v2gc-rm6g-wrw9)
-- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) TOCTOU vulnerability. (GHSA-6fx5-5cw5-4897)
+- Fixed [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) XSS vulnerabilities. ([GHSA-6j87-m5qx-9fqp](https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp), [GHSA-3jh3-prx3-w6wc](https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc))
+- Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SSRF vulnerabilities. ([GHSA-gp2f-7wcm-5fhx](https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx), [GHSA-v2gc-rm6g-wrw9](https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9))
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) TOCTOU vulnerability. ([GHSA-6fx5-5cw5-4897](https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897))
 
 ## 5.8.22 - 2026-01-09
 

crowdin.yml

@@ -9,7 +9,6 @@ files:
     type: php
     excluded_target_languages:
       - cy
-      - el
       - hr
       - id
       - ky

src/base/conditions/BaseMultiSelectConditionRule.php

@@ -181,6 +181,13 @@ protected function paramValue(?callable $normalizeValue = null): string|array|nu
      */
     protected function matchValue(array|string|null $value): bool
     {
+        if (in_array($this->operator, [self::OPERATOR_EMPTY, self::OPERATOR_NOT_EMPTY])) {
+            return match ($this->operator) {
+                self::OPERATOR_EMPTY => empty($value),
+                self::OPERATOR_NOT_EMPTY => !empty($value),
+            };
+        }
+        
         if (!$this->_values) {
             return true;
         }
@@ -194,8 +201,6 @@ protected function matchValue(array|string|null $value): bool
         return match ($this->operator) {
             self::OPERATOR_IN => !empty(array_intersect($value, $this->_values)),
             self::OPERATOR_NOT_IN => empty(array_intersect($value, $this->_values)),
-            self::OPERATOR_NOT_EMPTY => !empty($value),
-            self::OPERATOR_EMPTY => empty($value),
             default => throw new InvalidConfigException("Invalid operator: $this->operator"),
         };
     }

src/helpers/App.php

@@ -37,6 +37,7 @@
 use craft\web\User as WebUser;
 use craft\web\View;
 use HTMLPurifier_Encoder;
+use PDO;
 use ReflectionClass;
 use ReflectionFunction;
 use ReflectionNamedType;
@@ -1046,7 +1047,10 @@ public static function dbConfig(?DbConfig $dbConfig = null): array
             'commandMap' => [
                 $driver => Command::class,
             ],
-            'attributes' => $dbConfig->attributes,
+            'attributes' => [
+                PDO::MYSQL_ATTR_MULTI_STATEMENTS => false,
+                ...$dbConfig->attributes,
+            ],
             'enableSchemaCache' => !static::devMode(),
         ];
 
@@ -1263,16 +1267,13 @@ public static function webRequestConfig(): array
             'enableCsrfValidation' => $generalConfig->enableCsrfProtection,
             'enableCsrfCookie' => $generalConfig->enableCsrfCookie,
             'csrfParam' => $generalConfig->csrfTokenName,
+            'trustedHosts' => $generalConfig->trustedHosts,
             'parsers' => [
                 'application/json' => JsonParser::class,
             ],
             'isCpRequest' => static::normalizeBooleanValue(static::env('CRAFT_CP')),
         ];
 
-        if ($generalConfig->trustedHosts !== null) {
-            $config['trustedHosts'] = $generalConfig->trustedHosts;
-        }
-
         if ($generalConfig->secureHeaders !== null) {
             $config['secureHeaders'] = $generalConfig->secureHeaders;
         }

src/helpers/Assets.php

@@ -890,6 +890,10 @@ public static function downloadFile(BaseFsInterface $fs, string $uriPath, string
      */
     public static function iconUrl(string $extension): string
     {
+        if (!preg_match('/^\w+$/', $extension)) {
+            throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+        }
+
         return UrlHelper::actionUrl('assets/icon', [
             'extension' => $extension,
         ]);
@@ -905,6 +909,10 @@ public static function iconUrl(string $extension): string
      */
     public static function iconPath(string $extension): string
     {
+        if (!preg_match('/^\w+$/', $extension)) {
+            throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+        }
+
         $path = sprintf('%s%s%s.svg', Craft::$app->getPath()->getAssetsIconsPath(), DIRECTORY_SEPARATOR, strtolower($extension));
 
         if (file_exists($path)) {

src/i18n/I18N.php

@@ -187,6 +187,7 @@ private function _defineAppLocales(): void
             'da' => true,
             'de' => true,
             'de-CH' => true,
+            'el' => true,
             'en' => true,
             'en-GB' => true,
             'es' => true,

src/services/Elements.php

@@ -1503,6 +1503,7 @@ public function updateCanonicalElement(ElementInterface $element, array $newAttr
         $newAttributes += [
             'id' => $canonical->id,
             'uid' => $canonical->uid,
+            'canonicalId' => $canonical->getCanonicalId(),
             'root' => $canonical->root,
             'lft' => $canonical->lft,
             'rgt' => $canonical->rgt,
@@ -4265,14 +4266,15 @@ private function _saveElementInternal(
             if (!$element->propagating) {
                 // Delete the rows that don't need to be there anymore
                 if (!$isNewElement) {
-                    Db::deleteIfExists(
-                        Table::ELEMENTS_SITES,
-                        [
-                            'and',
-                            ['elementId' => $element->id],
-                            ['not', ['siteId' => array_keys($supportedSites)]],
-                        ]
-                    );
+                    $deleteCondition = [
+                        'and',
+                        ['elementId' => $element->id],
+                        ['not', ['siteId' => array_keys($supportedSites)]],
+                    ];
+
+                    Db::deleteIfExists(Table::ELEMENTS_SITES, $deleteCondition);
+                    Db::deleteIfExists(Table::SEARCHINDEX, $deleteCondition);
+                    Db::deleteIfExists(Table::SEARCHINDEXQUEUE, $deleteCondition);
                 }
 
                 // Invalidate any caches involving this element

src/services/Search.php

@@ -581,20 +581,20 @@ public function deleteOrphanedIndexes(): void
     {
         $db = Craft::$app->getDb();
         $searchIndexTable = Table::SEARCHINDEX;
-        $elementsTable = Table::ELEMENTS;
+        $elementsSitesTable = Table::ELEMENTS_SITES;
 
         if ($db->getIsMysql()) {
             $sql = <<<SQL
 DELETE s.* FROM $searchIndexTable s
-LEFT JOIN $elementsTable e ON e.id = s.elementId
-WHERE e.id IS NULL
+LEFT JOIN $elementsSitesTable es ON es.elementId = s.elementId AND es.siteId = s.siteId
+WHERE es.elementId IS NULL
 SQL;
         } else {
             $sql = <<<SQL
 DELETE FROM $searchIndexTable s
 WHERE NOT EXISTS (
-    SELECT * FROM $elementsTable
-    WHERE id = s."elementId"
+    SELECT * FROM $elementsSitesTable
+    WHERE "elementId" = s."elementId" AND "siteId" = s."siteId"
 )
 SQL;
         }
@@ -610,20 +610,20 @@ public function deleteOrphanedIndexJobs(): void
     {
         $db = Craft::$app->getDb();
         $searchIndexQueueTable = Table::SEARCHINDEXQUEUE;
-        $elementsTable = Table::ELEMENTS;
+        $elementsSitesTable = Table::ELEMENTS_SITES;
 
         if ($db->getIsMysql()) {
             $sql = <<<SQL
 DELETE q.* FROM $searchIndexQueueTable q
-LEFT JOIN $elementsTable e ON e.id = q.elementId
-WHERE e.id IS NULL
+LEFT JOIN $elementsSitesTable es ON es.elementId = q.elementId AND es.siteId = q.siteId
+WHERE es.elementId IS NULL
 SQL;
         } else {
             $sql = <<<SQL
 DELETE FROM $searchIndexQueueTable q
 WHERE NOT EXISTS (
-    SELECT * FROM $elementsTable
-    WHERE id = q."elementId"
+    SELECT * FROM $elementsSitesTable
+    WHERE "elementId" = q."elementId" AND "siteId" = q."siteId"
 )
 SQL;
         }