# CiviCRM 6.15.3

Released Wed Jun 17 2026 21:00:00 GMT-0700 (GMT-07:00)

- **[Synopsis](#synopsis)**
- **[Security advisories](#security)**
- **[Credits](#credits)**
- **[Feedback](#feedback)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |          |
| --------------------------------------------------------------- | -------- |
| Change the database schema?                                     | no       |
| Alter the API?                                                  | no       |
| Require attention to configuration options?                     | no       |
| Fix problems installing or upgrading to a previous version?     | no       |
| Introduce features?                                             | no       |
| **Fix bugs?**                                                   | **yes**  |
| **Fix security vulnerabilities?**                               | **yes**  |

## <a name="bugs"></a>Bugs resolved

* **_Formbuilder_: Fix viewing of afform submissions ([dev/core#6576](https://lab.civicrm.org/dev/core/-/work_items/6576): [#35949](https://github.com/civicrm/civicrm-core/pull/35949))**
* **_Upgrade_: Fix tranlsation table schema upgrade step and ensure that duplicate translation sources are not created ([dev/core#6570](https://lab.civicrm.org/dev/core/-/work_items/6570): [#35938](https://github.com/civicrm/civicrm-core/pull/35938): [#35959](https://github.com/civicrm/civicrm-core/pull/35959))**
* **_Formbuilder_: Fix recaptcha v2 integration with formbuilder ([#35947](https://github.com/civicrm/civicrm-core/pull/35947))**
* **_Upgrade_: Fix missing progress bar on Drupal sites ([dev/core#6579](https://lab.civicrm.org/dev/core/-/work_items/6579): [#35969](https://github.com/civicrm/civicrm-core/pull/35968))**
* **_SearchKit_: Fix url generation if url schema is in upper case ([#35971](https://github.com/civicrm/civicrm-core/pull/35971))**
* **_APi4_: Fix Event template autocomplete ([#35977](https://github.com/civicrm/civicrm-core/pull/35977))**
* **_Admin UI_: Fix rendering of click through urls if they have mailto prefix ([dev/core#6508](https://lab.civicrm.org/dev/core/-/issues/6508): [#35979](https://github.com/civicrm/civicrm-core/pull/35979))**
* **_Formbuilder_: Fix unknown error on submission with verification link ([dev/core#6589](https://lab.civicrm.org/dev/core/-/work_items/6589): [#35988](https://github.com/civicrm/civicrm-core/pull/35988))**
* **_Formbuilder_: Return file information to client ([#35997](https://github.com/civicrm/civicrm-core/pull/35997))**
* **_CiviContrbute_: Membership Type change reflected to ContributionRecur ([#35963](https://github.com/civicrm/civicrm-core/pull/35963))**

## <a name="security"></a>Security advisories

* **[CIVI-SA-2026-18](https://civicrm.org/advisory/civi-sa-2026-18-stored-xss-job-name): _Scheduled Jobs_: Stored XSS in Job Name (security/core#186: security/core#263)**
* **[CIVI-SA-2026-19](https://civicrm.org/advisory/civi-sa-2026-19-stored-xss-grant-type): _CiviGrant_: Stored XSS in Grant Type (security/core#185: security/core#264)**
* **[CIVI-SA-2026-20](https://civicrm.org/advisory/civi-sa-2026-20-stored-xss-website-url): _CiviContact_: Stored XSS in Website URL (security/core#183: security/core#272)**
* **[CIVI-SA-2026-21](https://civicrm.org/advisory/civi-sa-2026-21-stored-xss-event-template-title): _CiviEvent_: Stored XSS in Event Template (security/core#182: security/core#267)**
* **[CIVI-SA-2026-22](https://civicrm.org/advisory/civi-sa-2026-22-stored-xss-membership-type-title): _CiviMember_: Stored XSS in Membership Type (security/core#181: security/core#265, security/core#279)**
* **[CIVI-SA-2026-23](https://civicrm.org/advisory/civi-sa-2026-23-stored-xss-price-field-label): _CiviContribute_: Stored XSS in Price Field (security/core#180: security/core#268)**
* **[CIVI-SA-2026-24](https://civicrm.org/advisory/civi-sa-2026-24-rce-file-api): _File API_: RCE via File API (bypass of Civi-SA-2026-01) (security/core#179: security/core#269)**
* **[CIVI-SA-2026-25](https://civicrm.org/advisory/civi-sa-2026-25-stored-xss-tag-name): _CiviContact_: Stored XSS in Tag Name (security/core#184: security/core#270)**
* **[CIVI-SA-2026-26](https://civicrm.org/advisory/civi-sa-2026-26-unauthorized-access-files-api): _File API_: Unauthorized access to files via API (security/core#173: security/core#266)**
* **[CIVI-SA-2026-27](https://civicrm.org/advisory/civi-sa-2026-27-stored-xss-participant-status): _CiviEvent_: Stored XSS in Participant Status (security/core#169: security/core#267)**
* **[CIVI-SA-2026-28](https://civicrm.org/advisory/civi-sa-2026-28-remote-code-execution-extensions-api): _Extensions_: Escalation via Extension API (security/core#167: security/core#275)**
* **[CIVI-SA-2026-29](https://civicrm.org/advisory/civi-sa-2026-29-stored-xss-mailing-header-and-footer): _CiviMail_: Multiple Stored XSS in Mailings (security/core#158: security/core#245)**
* **[CIVI-SA-2026-30](https://civicrm.org/advisory/civi-sa-2026-30-stored-xss-file-attachments): _FileAPI_: Stored XSS in File Attachment (security/core#156: security/core#240)**
* **[CIVI-SA-2026-31](https://civicrm.org/advisory/civi-sa-2026-31-sqli-groupcontact-create-apiv3): _GroupContact_: SQLI in APiv3 GroupContact.create (security/core#152: security/core#277)**
* **[CIVI-SA-2026-32](https://civicrm.org/advisory/civi-sa-2026-32-stored-xss-profile-pre-and-post-help-fields): _Profile_: Stored XSS in profile pre and post fields and formatting fields (security/core#171: security/core#276)**
* **[CIVI-SA-2026-33](https://civicrm.org/advisory/civi-sa-2026-33-sqli-orderby-parameters): _OrderBy_: SQLI in OrderBy Params (security/core#278)**
* **[CIVI-SA-2026-34](https://civicrm.org/advisory/civi-sa-2026-34-sqli-financial-batch-ajax): _FinancialBatch_: SQLI in Financial Batch AJAX (security/core#281)**

## <a name="credits"></a>Credits

This release was developed by the following authors and reviewers:

Tadpole Collective - Kevin Cristiano; Lassi; JMA Consulting - Seamus Lee; Fuzion - Luke
Stewart; Dave D; CiviCRM - Coleman Watts, Tim Otten; Benjamin W; Greenpeace Central and
Eastern Europe - Patrick Figel; Johannes Filter (Medien in Bewegung e. V.); Cure53;
Coop SymbioTIC - Samuel Vanhove; MJW Consulting - Matthew Wire;
Nicol Wistreich; Megaphone Technology Consulting - Jon Goldberg; Wikimedia Foundation -
Eileen McNaughton; speleo; civiservice.de - Gerhard Weber; Richard Baugh;
Circle Interactive - Pradeep Nayak;

## <a name="feedback"></a>Feedback

These security release-notes are edited by Tim Otten.  If you'd like to provide
feedback on them, please report an issue at https://lab.civicrm.org/dev/release/.