CIVI-SA-2026-29: Multiple Stored XSS in Mailings

Published
2026-06-15 20:19
Written by

In CiviMail, multiple fields and screens could be used as vectors for cross-site scripting.

Exploiting this requires that the attacker have permission to manage CiviMail content.

Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM

Credits

Patrick Figel (Greenpeace Central and Eastern Europe), Lassi (lassitemp@proton.me), Johannes Filter (Medien in Bewegung e. V), Luke Stewart (Fuzion), Seamus Lee (JMA Consulting), Tim Otten (CiviCRM), Benjamin W