Közzétéve
2026-03-19 05:35
There has been a security release for CiviCRM. Upgrades are available for:
- CiviCRM v6.12.1 (download, release notes)
- CiviCRM v6.10 ESR (info, download, release notes)
Update 2026-03-24: 6.12.2 has been released to fix a few bugs:
- CiviCRM v6.12.2 (download, release notes)
- CiviCRM v6.10 ESR (info, download, release notes)
There is still one known bug with Price Set labels being incorrectly escaped.
These upgrades address the following security issues:
- CIVI-PSA-2026-01: Quickform Widgets
- CIVI-SA-2026-01: File API: Remote Code Execution
- CIVI-SA-2026-02: Standalone: Session Fixation
- CIVI-SA-2026-03: Standalone: Extraneous Staff Permission
- CIVI-SA-2026-04: Accounting Batches (XSS)
- CIVI-SA-2026-05: APIv3 Explorer (XSS)
- CIVI-SA-2026-06: Contact Notes (XSS)
- CIVI-SA-2026-07: Contact Summary (XSS)
- CIVI-SA-2026-08: Custom Data Settings (XSS)
- CIVI-SA-2026-09: Dropdown Options (XSS)
- CIVI-SA-2026-10: Group Descriptions (XSS)
- CIVI-SA-2026-11: Message Templates (XSS)
- CIVI-SA-2026-12: PDF Formats (XSS)
- CIVI-SA-2026-13: Riverlea Settings (XSS)
- CIVI-SA-2026-14: Scheduled Jobs (XSS)
- CIVI-SA-2026-15: Unvalidated Script in Search-Display
- CIVI-SA-2026-16: Path Traversal in Contact Importer
- CIVI-SA-2026-17: Advanced Search with Custom Data
Learn more about subscribing to Extended Security Releases (ESR).
Support CiviCRM
We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.
- Make a donation or contribute to a Make it happen campaign.
- If your organization wants to support our work, please become a member today.
- If you are a CiviCRM service provider, please become a partner.
CiviCRM is community driven and is sustained through contributions, good vibes, solidarity, and financial support from its community. Help CiviCRM do a world of good.
