# CiviCRM 4.7.26

Released Nov 1, 2017

- **[Security advisories](#security)**
- **[Credits](#credits)**

## <a name="security"></a>Security advisories


- **[CIVI-SA-2017-08](https://civicrm.org/advisory/civi-sa-2017-08-xss-in-html-link-attributes)** XSS in HTML link attributes
- **[CIVI-SA-2017-09](https://civicrm.org/advisory/civi-sa-2017-09-shell-injection-vulerabilty-in-smarty)** Shell injection vulerabilty in Smarty
- **[CIVI-SA-2017-10](https://civicrm.org/advisory/civi-sa-2017-10-xss-scripting-in-preimum-product-name)** XSS scripting in preimum product name
- **[CIVI-SA-2017-11](https://civicrm.org/advisory/civi-sa-2017-11-xss-in-dedupe-rules)** XSS in dedupe rules
- **[CIVI-SA-2017-12](https://civicrm.org/advisory/civi-sa-2017-12-xss-in-tag-description)** XSS in tag description
- **[CIVI-SA-2017-13](https://civicrm.org/advisory/civi-sa-2017-13-selectedchild-url-paramater-not-properly-validated-for-civicrm-message)** SelectedChild URL parameter not properly validated
- **[CIVI-SA-2017-14](https://civicrm.org/advisory/civi-sa-2017-14-xss-in-search-critiera-description)** XSS in Search Critiera Description
- **[CIVI-SA-2017-15](https://civicrm.org/advisory/civi-sa-2017-15-extension-key-not-properly-validated-when-adding-or-disabling-or)** Extension key not properly validated
- **[CIVI-SA-2017-16](https://civicrm.org/advisory/civi-sa-2017-16-sql-injection-risk-in-civireports-listing)** SQL injection risk in CiviReports

## <a name="credits"></a>Credits

This release was developed by the following code authors:

Australian Greens - Seamus Lee; Left Join Labs - Sean Madsen

Most authors also reviewed code for this release; in addition, the following
reviewers contributed their comments:

CiviCRM - Coleman Watts; JMA Consulting - Monish Deb; Wikimedia Foundation -
Eileen McNaughton