CVE-2026-39328

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description A stored cross-site scripting issue exists in ChurchCRM's person profile editing functionality. Users with EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. The payload is distributed across these fields and chains their onfocus event handlers to execute in sequence. When a user views the attacker's profile, their session cookies are sent to a remote server.

Recommendations Update to version 7.1.0 or later.