anonhaven
Ad

CVE-2026-39333

HIGH CVSS 3.1: 8.7 EPSS 0.03%
Updated Apr 10, 2026
Churchcrm
Parameter Value
CVSS 8.7 (HIGH)
Affected Versions before 7.1.0
Fixed In 7.1.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Churchcrm
Public PoC No

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user.

This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Churchcrm Churchcrm
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
 7.1.0

References 1

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39344

Churchcrm

8.1

CVE-2026-39343

Churchcrm

7.2

CVE-2026-39342

Churchcrm

9.4

CVE-2026-39340

Churchcrm

8.1

CVE-2026-39339

Churchcrm

9.1