Közzétéve
2026-06-17 17:17
There has been a security release for CiviCRM. Upgrades are available for:
- CiviCRM v6.15.3 (download, release notes)
- CiviCRM v6.10 ESR (info, download, release notes)
These upgrades address the following security issues:
- CIVI-SA-2026-18: Stored XSS in Job Name
- CIVI-SA-2026-19: Stored XSS in Grant Type
- CIVI-SA-2026-20: Stored XSS in Website URL
- CIVI-SA-2026-21: Stored XSS in Event Template Title
- CIVI-SA-2026-22: Stored XSS in Membership Type frontend title
- CIVI-SA-2026-23: Stored XSS in Price Field label
- CIVI-SA-2026-24: RCE via File API
- CIVI-SA-2026-25: Stored XSS in Tag Name
- CIVI-SA-2026-26: Unauthorized access to Files via APIv3
- CIVI-SA-2026-27: Stored XSS in Participant Status
- CIVI-SA-2026-28: Escalation via Extension Download API
- CIVI-SA-2026-29: Multiple Stored XSS in Mailings
- CIVI-SA-2026-30: Stored XSS in File Attachments
- CIVI-SA-2026-31: SQLI in GroupContact Create APIv3
- CIVI-SA-2026-32: Stored XSS in Profile Help
- CIVI-SA-2026-33: SQLI in OrderBy Parameters
- CIVI-SA-2026-34: SQLI in Financial Batch AJAX
Learn more about subscribing to Extended Security Releases (ESR).
Support CiviCRM
We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.
- Make a donation or contribute to a Make it happen campaign.
- If your organization wants to support our work, please become a member today.
- If you are a CiviCRM service provider, please become a partner.
CiviCRM is community driven and is sustained through contributions, good vibes, solidarity, and financial support from its community. Help CiviCRM do a world of good.
Filed under
