2 matches found
CVE-2026-39333
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input DateStart and DateEnd into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious U...
CVE-2026-39333
ChurchCRM before version 7.1.0 contains a reflected XSS in the FindFundRaiser.php endpoint where user-supplied DateStart/DateEnd are echoed into HTML input attributes without proper encoding. An authenticated attacker can craft a URL that, when visited by another authenticated user, executes arbi...