Lucene search
+L

5 matches found

CVE
CVE
added 2026/04/07 5:40 p.m.12 views

CVE-2026-39336

ChurchCRM prior to 7.1.0 is affected by a stored XSS in HTML attributes driven by unescaped config values, impacting Directory Reports fields, Person editor defaults, and external self-registration defaults. Root cause is abuse of writable configuration fields in an admin-to-admin path. The issue...

6.1CVSS5.8AI score0.00207EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/07 5:40 p.m.5 views

CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

6.1CVSS5.8AI score0.00207EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/07 5:40 p.m.20 views

CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...

6.1CVSS0.00207EPSS
Exploits0References1
NVD
NVD
added 2026/04/06 3:17 p.m.13 views

CVE-2026-33406

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

6.1CVSS0.00254EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.10 views

PT-2026-30628

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js,...

5.4CVSS6AI score0.00254EPSS
Exploits1References2
Rows per page
Query Builder