CVE-2026-24855

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.7.2

Description ChurchCRM, an open-source church management system, contains a Stored Cross-Site Scripting (XSS) issue in the Create Events feature within the Church Calendar. A user with limited privileges can inject malicious code into the Description field. This code is then saved to the database and executed when other users, including administrators, view the event. This can lead to account compromise.

Recommendations Update to ChurchCRM version 6.7.2 or later.