CVE-2026-39332

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, contains a reflected Cross-Site Scripting (XSS) issue in the GeoPage.php file. An authenticated user can inject arbitrary JavaScript into the browser of another authenticated user. The payload automatically executes due to autofocus, requiring no user interaction. This allows an attacker to steal session cookies and potentially take over user accounts, including administrator accounts, by tricking a victim into submitting a crafted form.

Recommendations Update to version 7.1.0 or later.