For organizations which use custom data with an access control list (ACL) , backend users may use "Advanced Search" to discover implicit information from restricted fields.
Security Advisories
This page lists all security advisories since June 2013. For older security advisories see this post. Security release announcements (starting with v4.2) are also listed here.
To receive future CiviCRM security notices, subscribe to our notifications. Check here for details of our security policy and how to report a suspected security issue.
Published:
Installations of CiviCRM (Standalone) include these default roles: "Everyone", "Administrator", and "Staff".
Previously, the default "Staff" role included permission to administer users. However, this is a powerful permission. Many systems should treat this as this as an "Administrator" permission.
Published:
If two users share access to the same client device, then a Session Fixation vulnerability enables the first user to impersonate the second user.
Published:
A user with permission to manage File uploads via APIv4 can escalate to executing arbitrary PHP files.
Published:
The March 18 release includes updates to several security issues -- notably CIVI-SA-2026-09: Dropdown Options (XSS). Some updates could have side-effects for other screens which use Quickform widgets (in CiviCRM and third-party add-ons), so we want to explore this in more detail.
Published:
The helper function CRM_Utils_String::createRandom() relies on a "cryptographically weak" random number generator.
A "weak" generator appears random but can sometimes be predicted. The significance depends on the specific use-cases which call this helper.
Published:
The "Accounting Batch" interface is vulnerable to a cross-site scripting issue.
Exploiting this vulnerability requires permission create manual batch.
Published:
CiviCRM's qfKey protects against cross-site request-forgery (CSRF) attacks. The handling of the qfKey is weaker than expected.
Upgrade Note: The update changes the representation of the qfKey. If you apply the update at the same time that an active user is working with a web form, then the user may temporarily retain an old (invalid) qfKey. Their next form-submission may fail. However, this is quickly resolve by reloading the form (or navigating to any other form).
Published:
When embedding a saved-search in a custom form, administrators may pre-configure mandatory filter-criteria. In some cases, the mandatory criteria can be bypassed.
Published:
An authenticated user with permission to view file-attachments may be able to move/remove arbitrary files on the server.
Upgrade Note: This update constrains access to APIv4's File entity and the recently added option, move_file. The constraint parallels a similar constraint in APIv3's Attachment. To use the move_file option, you must invoke the API through a trusted channel (e.g. PHP-API) and set checkPermissions=>FALSE.
Published:
Some pop-up dialogs which include user-supplied titles may be vulnerable to cross-site scripting.
Published:
In the handling of Contact profile-images, there is a vulnerability to cross-site request forgery.
