release-notes/4.7.26.md

   1 # CiviCRM 4.7.26
   2
   3 Released Nov 1, 2017
   4
   5 - **[Security advisories](#security)**
   6 - **[Credits](#credits)**
   7
   8 ## <a name="security"></a>Security advisories
   9
  10
  11 - **[CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes)** XSS in HTML link attributes
  12 - **[CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty)** Shell injection vulerabilty in Smarty
  13 - **[CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name)** XSS scripting in preimum product name
  14 - **[CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules)** XSS in dedupe rules
  15 - **[CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description)** XSS in tag description
  16 - **[CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message)** SelectedChild URL parameter not properly validated
  17 - **[CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description)** XSS in Search Critiera Description
  18 - **[CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or)** Extension key not properly validated
  19 - **[CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing)** SQL injection risk in CiviReports
  20
  21 ## <a name="credits"></a>Credits
  22
  23 This release was developed by the following code authors:
  24
  25 Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen
  26
  27 Most authors also reviewed code for this release; in addition, the following
  28 reviewers contributed their comments:
  29
  30 CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -
  31 Eileen McNaughton