XSS in Churchcrm Crm

CVE-2026-39338

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (17.3th percentile) — read the EPSS interpretation.