Security Advisories
This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.
To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.
In CiviMail, multiple fields and screens could be used as vectors for cross-site scripting.
Exploiting this requires that the attacker have permission to manage CiviMail content.
The Extension Download API provides administrators with tools for installing and sideloading extensions. The API is available in PHP, HTTP, CLI, etc. To execute the API, both the POSIX process and the CiviCRM user must have certain permissions.
The issue here is not a specific vulnerability in the API; on its own, it respects ordinary permissioning. However, if the system has another vulnerability (such as XSS), then the Extension Download API is an appealing target for escalation.
On the "Find Participants" search, the participant status field was not properly escaped.
With multiple entry-points in APIv3, there was an ability to move arbitrary files from the server filesystem.
When viewing a contact or viewing the manage tags screen, the tag name and tag set names were not properly escaped.
In the File API, there was inscufficent validation of the uri field to prevent path transversal. This is a follow up to CIVI-SA-2026-01
The price field label was not properly escaped for select price fields.
When viewing a list of membership types or adding a new membership, the membership type frontend title was not properly escaped.
When viewing a list of Event Templates, the event template title was not properly escaped.
When viewing a contact in the contact summary screen, the contact's website URL was not properly escaped.
When viewing a grant or printing a list of grants the Grant type label and Grant Status labels were not properly escaped
When viewing.a scheduled job the job name was not properly escaped when displayed
On May 20–27, 2026, Symfony published 36 security advisories alongside security releases for Symfony 5.4.52, 6.4.40, 7.4.12, 8.0.12, and Twig 3.26.0. The CiviCRM security team has reviewed these advisories and assessed their impact on CiviCRM. The security team has determined that these advisories have low to no impact on CiviCRM.
For organizations which use custom data with an access control list (ACL) , backend users may use "Advanced Search" to discover implicit information from restricted fields.
