Released May 15, 2019
- CIVI-SA-2019-09: XXE in PHPWord
- CIVI-SA-2019-10: TCPDF XSS and RCE vulnerabilities
- CIVI-SA-2019-11: jQuery Object.prototype pollution
- CIVI-SA-2019-12: SQLI in "Country", et al
- CIVI-SA-2019-13: Harden against unserialize vulnerabilities
- CIVI-SA-2019-14: SQLI in APIv3 GetOptions
- CIVI-SA-2019-15: XSS via forged MIME type
- CIVI-SA-2019-16: SQLI in certain checkboxes
- CIVI-SA-2019-17: SQLI in "Manage Events"
- CIVI-SA-2019-18: XSS in CiviCRM installer
- CIVIEXT-SA-2019-01: Multiple security issues in APIv4