As much as we hate to spring another upgrade on you all so soon after the release of vBulletin 3.6.6, an XSS flaw was identified today and in order to maintain our commitment to fix security problems as soon as we become aware of them, we have to release 3.6.7 and a patch for older versions.

All versions of vBulletin 3.6 prior to 3.6.7 are vulnerable to the XSS. vBulletin 3.5.x and 3.0.x are not affected.

To minimize the pain of another upgrade, there are no changed templates since 3.6.6 and no database schema changes, so the upgrade should be as simple and quick as possible.

Since we have fixed several bugs since vBulletin 3.6.6 was released, these fixes are also incorporated in this version and include amongst others:

* RTL support for date picker popup
* Fixed HTML for archive forum lists
* MySQL error while merging users fixed
* Smilie parsing error fixed
* PHP 5.0.5 errors fixed
* Hard-coded image paths fixed

A complete list of bugs fixed in the 3.6 branch is available in the project manager.

Please accept our apologies for bringing out a new version just days after the previous release. We're sorry.