anonhaven
Ad

CVE-2026-39336

MEDIUM CVSS 3.1: 6.1 EPSS 0.03%
Updated Apr 10, 2026
Churchcrm
Parameter Value
CVSS 6.1 (MEDIUM)
Affected Versions before 7.1.0
Fixed In 7.1.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Churchcrm
Public PoC No

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused.

This vulnerability is fixed in 7.1.0.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Churchcrm Churchcrm
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
 7.1.0

References 1

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r8cp-gg58-2r2r
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-39344

Churchcrm

8.1

CVE-2026-39335

Churchcrm

6.1

CVE-2026-39331

Churchcrm

8.1

CVE-2026-35575

Churchcrm

8.0

CVE-2026-35572

Churchcrm

7.0