Bump getkirby/cms from 5.2.1 to 5.2.2

[dependabot]

Bumps getkirby/cms from 5.2.1 to 5.2.2.

Release notes

Sourced from getkirby/cms's releases.

5.2.2

[!CAUTION]

🚨 Security

Missing permission checks in the content changes API

CVE ID: CVE-2026-21896 Severity: medium (CVSS score 5.8)

This vulnerability affects all Kirby sites (Kirby 5.0.0-5.2.1) where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content.

If you haven't configured any user permissions that deviate from the default of allowing all actions, your site is not affected.

🐛 Bug fixes

• Prevent error when calling Remote::json() with single-value JSON content (e.g. a single string, single int) #7806
• Fixed Kirby\Toolkit\Dom for newer libxml versions #7802
• Writer field: fixed inline toolbar position on views without Panel menu #7799
• $collection->group(callable) should accept empty string result as key #7830
• Fixed filename field bug in upload dialog #7662

♻️ Refactored

• Reset $_SERVER manipulation in tests #7807

Commits

• 55563aa Merge pull request #7862 from getkirby/release/5.2.2
• cc6f36b build: Preflight for 5.2.2
• d50b9e8 fix: Handle response error correctly on discard
• f5ce134 fix: Check permissions in Changes controller
• 3d944a3 Merge pull request #7827 from getkirby/fix/7662-slug-rules-initial-value
• aa1becb fix: accept empty string as valid group key #7733
• 6ebd33e fix: Writer toolbar position without Panel menu (#7799)
• 5f91571 Merge pull request #7802 from getkirby/fix/dom-libxml
• ff770f7 test: Reset $_SERVER manipulation (#7807)
• f9bcb93 fix: Ensure Remote::json() return types (#7806)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.