Security Advisory
CVE-2026-39941
CVE vulnerability detail — eXtreme Datacenter Security Operations
Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims browsers. This vulnerability is fixed in 7.1.0.