PT-2026-30959 · Churchcrm · Churchcrm
Morris-Be
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-39336
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
ChurchCRM versions prior to 7.1.0
Description
A stored cross-site scripting issue affects the Directory Reports form fields set from configuration, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused.
Recommendations
Update to version 7.1.0 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Churchcrm