CVE-2026-39941

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims...

EUVD-2026-20948

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims...

CVE-2026-39941

ChurchCRM (open-source church management system) has a stored XSS vulnerability up to version 7.0.x, where attacker-supplied input in EditEventAttendees.php (EName and EDesc) is rendered without proper output encoding, allowing arbitrary JavaScript execution in victims’ browsers. The issue is fix...

CVE-2026-39941 ChurchCRM has an XSS vulnerability

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims...

CVE-2026-39941

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.1.0 contained security vulnerabilities. These vulnerabilities stemmed from improper encoding of the EName and EDesc parameters in the EditEventAttendees.php file, which could lead to cross-site scripti...

CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

CVE-2025-68112

ChurchCRM (open-source church management system) has a SQL injection vulnerability in the Event Attendee Editor (and Event Participant Editor) affecting versions prior to 6.5.3. The issue allows authenticated users to submit arbitrary SQL, enabling complete database compromise, extraction of sens...

WordPress EventPrime plugin <= 4.0.7.3 - Missing Authorization to Authenticated (Subscriber+) Event Attendees Export vulnerability

Missing Authorization to Authenticated Subscriber+ Event Attendees Export vulnerability discovered by Tim Coen in WordPress Plugin EventPrime versions = 4.0.7.3...

PT-2025-7493 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM versions 5.13.0 and prior Description: A boolean-based blind SQL Injection vulnerability exists in the EditEventAttendees functionality, allowing an attacker to execute arbitrary SQL queries. The EID parameter is directly concatenat...

PT-2025-7485 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM version 5.13.0 Description: A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires...

CVE-2005-4189

Multiple cross-site scripting XSS vulnerabilities in Horde Kronolith H3 before 2.0.6 allow remote authenticated users to inject arbitrary web script or HTML via 1 the Calendar name field when creating calendars, 2 event title field when deleting events, the 3 Category and 4 Location search fields...