# CiviCRM 6.12.1

Released March 18, 2026

- **[Synopsis](#synopsis)**
- **[Security advisories](#security)**
- **[Bugs resolved](#bugs)**
- **[Credits](#credits)**
- **[Feedback](#feedback)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |          |
| --------------------------------------------------------------- | -------- |
| Change the database schema?                                     | no       |
| **Alter the API?**                                              | **yes**  |
| Require attention to configuration options?                     | no       |
| **Fix problems installing or upgrading to a previous version?** | **yes**  |
| Introduce features?                                             | no       |
| **Fix bugs?**                                                   | **yes**  |
| **Fix security vulnerabilities?**                               | **yes**  |

## <a name="security"></a>Security advisories

* **[CIVI-PSA-2026-01](https://civicrm.org/advisory/civi-psa-2026-01-quickform-widgets): Quickform Widgets**
* **[CIVI-SA-2026-01](https://civicrm.org/advisory/civi-sa-2026-01-file-api-remote-code-execution): _File API_: Remote Code Execution**
* **[CIVI-SA-2026-02](https://civicrm.org/advisory/civi-sa-2026-02-standalone-session-fixation): _Standalone_: Session Fixation**
* **[CIVI-SA-2026-03](https://civicrm.org/advisory/civi-sa-2026-03-standalone-extraneous-staff-permission): _Standalone_: Extraneous Staff Permission**
* **[CIVI-SA-2026-04](https://civicrm.org/advisory/civi-sa-2026-04-accounting-batches-xss): Accounting Batches (XSS)**
* **[CIVI-SA-2026-05](https://civicrm.org/advisory/civi-sa-2026-05-apiv3-explorer-xss): APIv3 Explorer (XSS)**
* **[CIVI-SA-2026-06](https://civicrm.org/advisory/civi-sa-2026-06-contact-notes-xss): Contact Notes (XSS)**
* **[CIVI-SA-2026-07](https://civicrm.org/advisory/civi-sa-2026-07-contact-summary-xss): Contact Summary (XSS)**
* **[CIVI-SA-2026-08](https://civicrm.org/advisory/civi-sa-2026-08-custom-data-settings-xss): Custom Data Settings (XSS)**
* **[CIVI-SA-2026-09](https://civicrm.org/advisory/civi-sa-2026-09-dropdown-options-xss): Dropdown Options (XSS)**
* **[CIVI-SA-2026-10](https://civicrm.org/advisory/civi-sa-2026-10-group-descriptions-xss): Group Descriptions (XSS)**
* **[CIVI-SA-2026-11](https://civicrm.org/advisory/civi-sa-2026-11-message-templates-xss): Message Templates (XSS)**
* **[CIVI-SA-2026-12](https://civicrm.org/advisory/civi-sa-2026-12-pdf-formats-xss): PDF Formats (XSS)**
* **[CIVI-SA-2026-13](https://civicrm.org/advisory/civi-sa-2026-13-riverlea-settings-xss): Riverlea Settings (XSS)**
* **[CIVI-SA-2026-14](https://civicrm.org/advisory/civi-sa-2026-14-scheduled-jobs-xss): Scheduled Jobs (XSS)**
* **[CIVI-SA-2026-15](https://civicrm.org/advisory/civi-sa-2026-15-unvalidated-script-search-display): Unvalidated Script in Search-Display**
* **[CIVI-SA-2026-16](https://civicrm.org/advisory/civi-sa-2026-16-path-traversal-contact-importer): Path Traversal in Contact Importer**
* **[CIVI-SA-2026-17](https://civicrm.org/advisory/civi-sa-2026-17-advanced-search-custom-data): Advanced Search with Custom Data**

## <a name="bugs"></a>Bugs resolved

* **_Extensions_: Mark "minifier" as obsolete ([#35138](https://github.com/civicrm/civicrm-core/pull/35138))**
* **_Form Builder_: Cleanup display of validation messages ([dev/core#6365](https://lab.civicrm.org/dev/core/-/issues/6365): [#35094](https://github.com/civicrm/civicrm-core/pull/35094))**
* **_Form Builder_: Fix display of certain error messages ([#35039](https://github.com/civicrm/civicrm-core/pull/35039), [#35041](https://github.com/civicrm/civicrm-core/pull/35041))**
* **_Form Builder_: Fix support for certain `[...]` tokens ([#35129](https://github.com/civicrm/civicrm-core/pull/35129))**
* **_Form Builder_: Fix new warning about null values ([#35037](https://github.com/civicrm/civicrm-core/pull/35037))**
* **_Outbound Mail_: Fix new warning. Finish conversion. ([dev/core#6251](https://lab.civicrm.org/dev/core/-/issues/6251): [#35038](https://github.com/civicrm/civicrm-core/pull/35038))**
* **_Search Kit_: Cleanup duplicate call ([#35054](https://github.com/civicrm/civicrm-core/pull/35054))**
* **_Smarty_: Cleanup leftover files ([packages#428](https://github.com/civicrm/civicrm-packages/pull/428), [#35141](https://github.com/civicrm/civicrm-core/pull/35141))**
* **_Tests_: Fix compatibility with newest upgrade-tests ([#35123](https://github.com/civicrm/civicrm-core/pull/35123))**
* **_Upgrader_: Web-based upgrade may fail if CiviGrant is active ([dev/core#6379](https://lab.civicrm.org/dev/core/-/issues/6379): [#35102](https://github.com/civicrm/civicrm-core/pull/35102))**

## <a name="credits"></a>Credits

This release was developed by the following authors and reviewers:

Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; shahrukh-compuco; JMA
Consulting - Seamus Lee; Fuzion - Luke Stewart; Dave D; CiviCRM - Coleman Watts, Tim
Otten; Blackfly Solutions - Alan Dixon

## <a name="feedback"></a>Feedback

These release notes are edited by Tim Otten and Andie Hunt.  If you'd like to
provide feedback on them, please login to https://chat.civicrm.org/civicrm and
contact `@agh1`.