# CiviCRM 6.9.1

Released December 17, 2025

- **[Synopsis](#synopsis)**
- **[Security advisories](#security)**
- **[Bugs resolved](#bugs)**
- **[Credits](#credits)**
- **[Feedback](#feedback)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |          |
| --------------------------------------------------------------- | -------- |
| Change the database schema?                                     | no       |
| Alter the API?                                                  | no       |
| Require attention to configuration options?                     | no       |
| Fix problems installing or upgrading to a previous version?     | no       |
| Introduce features?                                             | no       |
| **Fix bugs?**                                                   | **yes**  |
| **Fix security vulnerabilities?**                               | **yes**  |

## <a name="security"></a>Security advisories

* **[CIVI-SA-2025-07](https://civicrm.org/advisory/civi-sa-2025-07-accounting-batch-xss): Accounting Batch XSS (security/core#147: security/core#220, security/core#222)**
* **[CIVI-SA-2026-08](https://civicrm.org/advisory/civi-sa-2026-08-harden-createrandom): Harden createRandom() (security/core#221)**

## <a name="bugs"></a>Bugs resolved

* **_Custom Data_: The "Required" flag may be enforced incorrectly. ([dev/core#6124](https://lab.civicrm.org/dev/core/-/issues/6124): [#34279](https://github.com/civicrm/civicrm-core/pull/34279))**
* **_Form Builder_: Auto-completion fails when using secret links. ([dev/core#6225](https://lab.civicrm.org/dev/core/-/issues/6225): [#34224](https://github.com/civicrm/civicrm-core/pull/34224))**
* **_Pingbacks_: If reporting Civi version, then also report Smarty version.**
* **_Smarty v2_: "Manage Extensions" screen does not work on Smarty v2. ([dev/core#6249](https://lab.civicrm.org/dev/core/-/issues/6249): [#34288](https://github.com/civicrm/civicrm-core/pull/34288))**

## <a name="credits"></a>Credits

This release was developed by the following authors and reviewers:

Wikimedia Foundation - Eileen McNaughton; Tadpole Collective - Kevin Cristiano; nicholash;
Nadaillac; JMA Consulting - Seamus Lee; Fuzion - Luke Stewart; Dave D; CiviCRM - Tim
Otten, Coleman Watts; CiviCoop - Jaap Jansma 

## <a name="feedback"></a>Feedback

These security release-notes are edited by Tim Otten.  If you'd like to provide
feedback on them, please report an issue at https://lab.civicrm.org/dev/release/.