Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.
Published: 2026-04-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side JavaScript execution
Action: Immediate Patch
AI Analysis

Impact

An input validation flaw in ChurchCRM's EditEventAttendees.php allows attacker‑supplied values in the EName and EDesc parameters to be rendered without proper encoding. This flaw enables arbitrary JavaScript execution in the browsers of users who view the affected page, allowing a browser‑based attack that can steal session data, hijack accounts, or deliver additional malicious content. The weakness corresponds to the web cross‑site scripting categories CWE‑79 and CWE‑80.

Affected Systems

This vulnerability affects the open‑source ChurchCRM platform in all versions earlier than 7.1.0. Any installation that has not applied the 7.1.0 release, which includes proper output encoding, remains vulnerable. No other vendors or products are listed as affected, so the impact is confined to ChurchCRM users.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score below 1% suggests a low likelihood of exploitation. The CVE description does not specify whether authentication is required or whether the attack vector is remote or local; this information is missing. Based on the description, it is inferred that an attacker could provide malicious payloads in the EName and EDesc parameters that would be executed when a victim’s browser renders the page. The vulnerability is not listed in CISA's KEV catalog, indicating no publicly reported exploits at this time.

Generated by OpenCVE AI on April 14, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply ChurchCRM version 7.1.0 or newer
  • If an upgrade is not feasible, ensure that EName and EDesc input is sanitized or properly encoded before rendering to prevent reflected XSS

Generated by OpenCVE AI on April 14, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has an XSS vulnerability
Weaknesses CWE-79
CWE-80
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T14:05:39.204Z

Reserved: 2026-04-07T22:40:33.820Z

Link: CVE-2026-39941

cve-icon Vulnrichment

Updated: 2026-04-10T14:05:27.294Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:31.397

Modified: 2026-04-14T14:44:01.270

Link: CVE-2026-39941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:55Z

Weaknesses