CVE-2026-39941

UNKNOWN 0.0

ChurchCRM has an XSS vulnerability

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

21th

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.

CWE	CWE-79 CWE-80
Vendor	churchcrm
Product	crm
Published	Apr 9, 2026
Last Updated	Apr 10, 2026

Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new unknown vulnerabilities affecting churchcrm crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ChurchCRM / CRM

< 7.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-4mqw-9jww-2c58 github.com: https://github.com/ChurchCRM/CRM/commit/d2f7f36e2ea342419026ddc4bc4ea8efbf5e7e98 github.com: https://github.com/ChurchCRM/CRM/releases/tag/7.1.0