CIVI-SA-2026-30: Stored XSS in File Attachments

Published
2026-06-15 20:21
Written by
Security Risk
Moderately Critical
Vulnerability
Cross Site Scripting
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM

Credits

Lassi (lassitemp@proton.me), Luke Stewart (Fuzion), Seamus Lee (JMA Consulting), Coleman Watts (CiviCRM), Tim Otten (CiviCRM), Patrick Figel (Greenpeace Central and Eastern Europe)