CVE-2026-39333

ChurchCRM before version 7.1.0 contains a reflected XSS in the FindFundRaiser.php endpoint where user-supplied DateStart/DateEnd are echoed into HTML input attributes without proper encoding. An authenticated attacker can craft a URL that, when visited by another authenticated user, executes arbi...