CIVI-SA-2026-19: Stored XSS in Grant Type

Published
2026-06-15 19:47
Written by

When viewing a grant or printing a list of grants the Grant type label and Grant Status labels were not properly escaped

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM

Credits

Lassi (lassitemp@proton.me), Kevin Cristiano (Tadepole Collective) Seamus Lee (JMA Consulting)