CVE-2026-39338

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM, an open-source church management system, has a Blind Reflected Cross-Site Scripting issue in the search parameter of the dashboard. The application does not properly sanitize or encode user input before rendering it in the browser's Document Object Model (DOM). Even though the application returns an HTTP 500 error because of the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected

Recommendations Update to version 7.1.0 or later.