# 🛡️ ChurchCRM 6.8.1 — Precision & Reliability for 2026

> *Timezone accuracy, safer upgrades, and a security fix.*

Released: February 2026

---

## ⚠️ Security Fix

- **Stored XSS in group role renaming** (GHSA-3wp4-vpr7-47q6) — a stored cross-site scripting vulnerability in the group role rename flow allowed injected scripts to execute in administrator sessions. Fixed with proper output escaping.

---

## 🕒 Timezone-Aware Date Operations

Calendar and date handling has been strengthened throughout the application:

- **All date operations** now respect your configured server timezone — events and calendar entries no longer shift unexpectedly for administrators in different time zones
- **Calendar API** validates dates strictly, rejecting malformed date inputs that previously caused silent failures
- **Timezone debug page** now shows both server time and browser time side by side, making it easy to spot mismatches
- **Public calendar API** (issue #7954) — date validation and timezone handling added; the API now rejects invalid date ranges with a clear error instead of returning empty results

---

## 🔒 Safer Upgrades

- **Pre-flight validation** added to the upgrade process — ChurchCRM now checks that the download completed successfully before attempting to apply it, with clear error messages if something went wrong
- **Release download retry logic** (issue #7970) — if a release download is interrupted, the system retries automatically before reporting failure

---

## 🐛 Bug Fixes

- **Custom integer fields** (issue #7956) — PHP 8 compatibility fixed for custom fields configured as integers; values were not saving correctly in some configurations
- **Subdirectory compatibility** improved for parallel test environments and `AuthMiddleware`

---

## 🌍 Localization

- Multiple locale updates from POEditor
- Base term updates for locale variants

---

## ⚙️ Dependencies

- **pdfmake** upgraded from 0.3.1 to 0.3.3

---

**Full Changelog**: https://github.com/ChurchCRM/CRM/compare/6.8.0...6.8.1
