CVE-2026-39333

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM is an open-source church management system. The FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user, resulting in a reflected Cross-Site Scripting (XSS) issue.

Recommendations Update to version 7.1.0.