#VU125715 Cross-site scripting in ChurchCRM - CVE-2026-39941
Published: April 9, 2026
Vulnerability identifier: #VU125715
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-39941
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
ChurchCRM
ChurchCRM
Software vendor:
ChurchCRM
ChurchCRM
Description
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in POST parameter handling in EditEventAttendees.php when rendering attacker-supplied POST parameters in an HTML response. A remote user can send specially crafted POST parameters to execute arbitrary JavaScript in a victim's browser.
The issue may be reflected or stored depending on whether the injected value is persisted, and it affects users who view the page rendering the injected value.
Remediation
Install security update from vendor's website.