Plattform
php
Komponente
churchcrm
Behoben in
7.1.1
CVE-2026-39333 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM. This flaw allows an authenticated attacker to inject malicious JavaScript code into HTML attributes within the FindFundRaiser.php endpoint. The vulnerability affects versions 0.0.0 through 7.0 of ChurchCRM and is resolved in version 7.1.0 through a proper output encoding fix.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of another authenticated user's session. This can lead to various malicious actions, including session hijacking, defacement of the ChurchCRM interface, and theft of sensitive information such as user credentials or financial data. The attacker needs to be authenticated within ChurchCRM to exploit this vulnerability, limiting the scope but still posing a significant risk to administrative users and those with elevated privileges.
This vulnerability was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been identified at the time of writing, but the nature of reflected XSS vulnerabilities makes it likely that a PoC will emerge. The vulnerability's impact is limited to authenticated users, reducing the immediate likelihood of widespread exploitation, but it remains a concern for organizations using ChurchCRM.
Organizations and individuals using ChurchCRM versions 0.0.0 through 7.0, particularly those with limited security expertise or those who do not regularly update their software, are at significant risk. Shared hosting environments where multiple ChurchCRM instances reside are also at increased risk, as a compromise of one instance could potentially impact others.
• php: Examine ChurchCRM logs for unusual activity related to the FindFundRaiser.php endpoint, specifically looking for requests containing suspicious characters in the DateStart and DateEnd parameters.
• generic web: Use curl to test the FindFundRaiser.php endpoint with various payloads in the DateStart and DateEnd parameters. Example:
curl 'http://churchcrm/FindFundRaiser.php?DateStart=<script>alert("XSS")</script>&DateEnd=2024-12-31'• generic web: Review access logs for requests to FindFundRaiser.php containing unusual characters or patterns in the DateStart and DateEnd parameters. Look for patterns indicative of XSS attempts.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39333 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the DateStart and DateEnd parameters within the FindFundRaiser.php endpoint. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting HTML attributes can also provide a temporary layer of protection. Review ChurchCRM's configuration for any unnecessary permissions granted to users.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema de codificación de salida en los parámetros DateStart y DateEnd del endpoint FindFundRaiser.php, evitando la ejecución de código JavaScript malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39333 is a reflected XSS vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject JavaScript via the DateStart and DateEnd parameters in FindFundRaiser.php.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to mitigate the risk.
Upgrade ChurchCRM to version 7.1.0 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests to FindFundRaiser.php.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-39333.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.