# 🛡️ ChurchCRM 6.7.1 — Security Patch & Event Fix

> *Four security vulnerabilities patched. All users should upgrade.*

Released: January 2026

---

## ⚠️ Critical Security Fixes

This release patches four security vulnerabilities. All users on 6.x should update to 6.7.1 immediately.

---

### 🔴 Stored XSS — Calendar Events Description (GHSA-49qp-cfqx-c767)

A stored cross-site scripting vulnerability in the Calendar Events description field allowed injected scripts to execute in administrator and member sessions when viewing calendar events. Fixed with proper output escaping.

### 🔴 SQL Injection — Paddle Number Editor (GHSA-p3q7-q68q-h2gr)

A SQL injection vulnerability in `PaddleNumEditor.php` allowed crafted paddle number input to escape the query context. Fixed with parameterized queries.

### 🔴 Stored XSS — Fundraiser & Financial Modules (GHSA-8r36-fvxj-26qv)

Stored XSS vulnerabilities across several fundraiser and financial input fields allowed injected scripts to execute when viewing fundraiser summaries and financial reports. Fixed with consistent input escaping.

### 🔴 Stored XSS — Person & Group Property Values (GHSA-8r36-fvxj-26qv)

Person and group property values were rendered without escaping, allowing stored XSS via crafted property entries. Fixed with output escaping across all property value display points.

---

## 🐛 Bug Fixes

- **Edit Event creates new event** (issue #7918) — fixed a regression where editing an existing event created a duplicate instead of updating the original
- **Volunteer opportunity assignment** (issue #7917) — fixed a `BadMethodCallException` that prevented saving volunteer assignments
- **Tax Report memory exhaustion** (issue #7906) — fixed a circular object serialization issue that caused PHP to run out of memory on large tax reports
- **DataTables PDF export** now uses landscape orientation for better readability of wide tables

---

## 🌍 Localization

- Locale updated from POEditor

---

**Full Changelog**: https://github.com/ChurchCRM/CRM/compare/6.7.0...6.7.1
