Published
2026-06-15 19:52
When viewing a contact in the contact summary screen, the contact's website URL was not properly escaped.
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions
CiviCRM v6.15.2 and earlier
Fixed Versions
CiviCRM v6.15.3, v6.10.7 (ESR), and later
Publication Date
Solutions
Upgrade to a fixed version of CiviCRM
Credits
Lassi (lassitemp@proton.me), Luke Stewart (Fuzion), Seamus Lee (JMA Consulting)
