# 🛡️ ChurchCRM 6.7.2 — Person Properties XSS Patch

Released: January 2026

---

## Security Fix

- **Stored XSS in Person Property Management** (GHSA-8r36-fvxj-26qv) — an additional injection point for the Person Property XSS vulnerability patched in 6.7.1 was identified and fixed. This specifically affects the property management subsystem used by administrators to define and view custom person properties.

---

## Improvements

- **Photo Gallery** — photos-only filter now correctly shows all member photos across all classifications, not just the default group
- Photo gallery Cypress tests added for regression coverage
- Locale updated from POEditor

---

**Full Changelog**: https://github.com/ChurchCRM/CRM/compare/6.7.1...6.7.2
