Cross-site scripting in ChurchCRM - CVE-2026-39941
Published: April 9, 2026
Vulnerability identifier: #VU125715
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-39941
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in POST parameter handling in EditEventAttendees.php when rendering attacker-supplied POST parameters in an HTML response. A remote user can send specially crafted POST parameters to execute arbitrary JavaScript in a victim's browser.
The issue may be reflected or stored depending on whether the injected value is persisted, and it affects users who view the page rendering the injected value.
How to mitigate CVE-2026-39941
Install security update from vendor's website.