CVE-2026-39941 MEDIUM

CVE-2026-39941: ChurchCRM has an XSS vulnerability

Vendor Churchcrm
Product CRM
Weakness CWE-79 · XSS
Published April 9, 2026
Last update April 10, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 10, 2026 Record updated