drupal-civicrm/sites/all/modules/civicrm/release-notes/4.7.26.md

# CiviCRM 4.7.26

Released Nov 1, 2017

- **[Security advisories](#security)**
- **[Credits](#credits)**

## <a name="security"></a>Security advisories


- **[CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes)** XSS in HTML link attributes
- **[CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty)** Shell injection vulerabilty in Smarty
- **[CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name)** XSS scripting in preimum product name
- **[CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules)** XSS in dedupe rules
- **[CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description)** XSS in tag description
- **[CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message)** SelectedChild URL parameter not properly validated
- **[CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description)** XSS in Search Critiera Description
- **[CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or)** Extension key not properly validated
- **[CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing)** SQL injection risk in CiviReports

## <a name="credits"></a>Credits

This release was developed by the following code authors:

Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen

Most authors also reviewed code for this release; in addition, the following
reviewers contributed their comments:

CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -
Eileen McNaughton
First commit 2018-01-14 15:10:16 +02:00			`# CiviCRM 4.7.26`

			`Released Nov 1, 2017`

			`- [Security advisories](#security)`
			`- [Credits](#credits)`

			`## <a name="security"></a>Security advisories`


			`- [CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes) XSS in HTML link attributes`
			`- [CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty) Shell injection vulerabilty in Smarty`
			`- [CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name) XSS scripting in preimum product name`
			`- [CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules) XSS in dedupe rules`
			`- [CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description) XSS in tag description`
			`- [CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message) SelectedChild URL parameter not properly validated`
			`- [CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description) XSS in Search Critiera Description`
			`- [CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or) Extension key not properly validated`
			`- [CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing) SQL injection risk in CiviReports`

			`## <a name="credits"></a>Credits`

			`This release was developed by the following code authors:`

			`Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen`

			`Most authors also reviewed code for this release; in addition, the following`
			`reviewers contributed their comments:`

			`CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -`
			`Eileen McNaughton`