Published
2026-06-15 20:08
With multiple entry-points in APIv3, there was an ability to move arbitrary files from the server filesystem.
Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions
CiviCRM v6.15.2 and earlier
Fixed Versions
CiviCRM v6.15.3, v6.10.7 (ESR), and later
Publication Date
Solutions
Upgrade to a fixed version of CiviCRM
Credits
Tim Otten (CiviCRM), Coleman Watts (CiviCRM), Dave D
