A vulnerability classified as problematic has been found in ChurchCRM up to 7.0.x . Affected is an unknown function of the component Directory Reports Form . Performing a manipulation results in cross site scripting. This vulnerability was named CVE-2026-39336 . The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.