ChurchCRM 4.5.3 and below exists to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
churchcrm churchcrm