CVE-2025-68401

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.0.0

Description The application inadequately sanitizes or encodes user-supplied HTML/JS, leading to stored cross-site scripting (XSS). This allows an attacker to execute JavaScript in the browsers of other users viewing the content. The script can access web origin data and perform actions with the victim's privileges. If session cookies are not marked as HttpOnly, the script can read cookie data, potentially enabling session theft and account takeover.

Recommendations Update to version 6.0.0 or later.