CIVI-SA-2026-21: Stored XSS in Event Template Title

Published
2026-06-15 19:55
Written by

When viewing a list of Event Templates, the event template title was not properly escaped.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM,

Credits

Lassi (lassitemp@proton.me), Seamus Lee (JMA Consulting), Coleman Watts (CiviCRM)