CVE-2026-32880

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.0.2

Description ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an administrator user to edit JSON type system settings to store a JavaScript payload that can execute when any administrator views the system settings. The JSON input is left unescaped and unsanitized in the SystemSettings.php file, leading to cross-site scripting (XSS).

Recommendations Update to version 7.0.2 or later.