ChurchCRM Flaw Exposes Users to Cross-Site Scripting Attacks
CVE Notify is flagging a critical cross-site scripting (XSS) vulnerability in older versions of ChurchCRM, an open-source church management system. The flaw, identified as CVE-2026-39941, affects versions prior to 7.1.0. According to CVE Notify, attackers could exploit this by submitting specially crafted input via the ‘EName’ and ‘EDesc’ parameters in the EditEventAttendees.php file. Because the application fails to properly encode this input before rendering it on a page, it opens the door for arbitrary JavaScript execution within a victim’s browser.
What This Means For You
- Organizations running ChurchCRM should immediately update to version 7.1.0 or later to patch this XSS vulnerability. Regularly patching applications, especially those handling user input, is crucial to prevent widespread client-side attacks.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-39941 | XSS | ChurchCRM versions prior to 7.1.0, EditEventAttendees.php, EName and EDesc parameters, lack of output encoding leading to arbitrary JavaScript execution. |
Get the full picture on this threat
Search by organization or CVE, get analyst-ready IOCs, and set watchlist alerts — inside Telegram.
Try Intel Bot →