CiviCRM 6.4.1

Files

Repositories

civicrm-backdrop@1.x	browse	commits
civicrm-core	browse	commits
civicrm-drupal-8	browse	commits
civicrm-drupal@7.x	browse	commits
civicrm-joomla	browse	commits
civicrm-packages	browse	commits
civicrm-wordpress	browse	commits

# CiviCRM 6.4.1 Released August 6, 2025 - **[Synopsis](#synopsis)** - **[Security advisories](#security)** - **[Bugs resolved](#bugs)** - **[Credits](#credits)** - **[Feedback](#feedback)** ## <a name="synopsis"></a>Synopsis | *Does this version...?* | | | --------------------------------------------------------------- | -------- | | Change the database schema? | no | | **Alter the API?** | **yes** | | Require attention to configuration options? | no | | **Fix problems installing or upgrading to a previous version?** | **yes** | | Introduce features? | no | | Fix bugs? | no | | **Fix security vulnerabilities?** | **yes** | ## <a name="security"></a>Security advisories * **[CIVI-SA-2025-01](https://civicrm.org/advisory/civi-sa-2025-01-insufficient-permission-denial): Insufficient Permission Denial (security/core#200, security/core#208)** * **[CIVI-SA-2025-02](https://civicrm.org/advisory/civi-sa-2025-02-contact-images-csrf): Contact Images (CSRF) (security/core#195)** * **[CIVI-SA-2025-03](https://civicrm.org/advisory/civi-sa-2025-03-dialog-title-xss): Dialog Title (XSS) (security/core#203)** * **[CIVI-SA-2025-04](https://civicrm.org/advisory/civi-sa-2025-04-arbitrary-file-move): Arbitrary File Move (security/core#142: security/core#201)** Updates to APIv4 `File` could affect recent customizations. The `move_file` option will only be accepted from trusted callers. * **[CIVI-SA-2025-05](https://civicrm.org/advisory/civi-sa-2025-05-embedded-searches): Embedded Searches (security/core#197)** * **[CIVI-SA-2025-06](https://civicrm.org/advisory/civi-sa-2025-06-weak-csrf-key): Weak CSRF Key (security/core#140: security/core#207)** Updates to the CSRF key may briefly interrupt users with an active/open web-form. ## <a name="bugs"></a>Bugs resolved * **_Upgrader_: Error upgrading core when extension has new schema file ([dev/core#6022](https://lab.civicrm.org/dev/core/-/issues/6022): [#33364](https://github.com/civicrm/civicrm-core/pull/33364))** ## <a name="credits"></a>Credits This release was developed by the following authors and reviewers: Sjoerd Langkemper; Progressive Technology Project - Jamie McClelland; JMA Consulting - Seamus Lee; Dave D; CiviCRM - Tim Otten, Coleman Watts; Benjamin W ## <a name="feedback"></a>Feedback These security release-notes are edited by Tim Otten. If you'd like to provide feedback on them, please report an issue at https://lab.civicrm.org/dev/release/.