Platform
php
Component
churchcrm
Fixed in
7.1.1
CVE-2026-39332 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM. This flaw allows authenticated users to inject malicious JavaScript code into the browsers of other authenticated users. Successful exploitation can lead to session cookie theft and complete account takeover, even for administrator accounts, making it a critical security concern. The vulnerability impacts versions 0.0.0 through 7.0.x and is resolved in version 7.1.0.
The impact of this XSS vulnerability is significant due to its ease of exploitation and potential for complete account compromise. An attacker can craft a malicious form submission that, when submitted by a victim, automatically executes the injected JavaScript. This automatic execution, facilitated by the autofocus attribute, bypasses typical user interaction requirements, making it highly effective. The stolen session cookies can then be used to impersonate the victim, granting the attacker full access to their ChurchCRM account. This includes the ability to modify church data, manage members, and potentially access sensitive financial information. Given ChurchCRM's role in managing church operations, this vulnerability poses a serious risk to data integrity and confidentiality.
This vulnerability was publicly disclosed on 2026-04-07. While no active exploitation campaigns have been publicly reported, the ease of exploitation and potential impact make it a likely target. There are currently no known public proof-of-concept exploits, but the vulnerability's simplicity suggests that one could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39332 is to immediately upgrade ChurchCRM to version 7.1.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and output encoding on the GeoPage.php page can help prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the GeoPage.php endpoint can provide an additional layer of protection. Monitor ChurchCRM logs for suspicious activity, particularly form submissions containing unusual characters or JavaScript code. After upgrading, confirm the fix by attempting to submit a crafted XSS payload to the GeoPage.php page and verifying that the script is not executed.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS en GeoPage.php. Esta actualización corrige la forma en que se manejan las entradas de usuario, evitando la inyección de código JavaScript malicioso. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39332 is a reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0.x, allowing attackers to inject JavaScript code.
If you are using ChurchCRM versions 0.0.0 through 7.0.x, you are potentially affected by this vulnerability. Upgrade to 7.1.0 or later to mitigate the risk.
The recommended fix is to upgrade ChurchCRM to version 7.1.0 or later. Temporary workarounds include input validation and WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the ChurchCRM website and security advisories for the latest information and official announcements regarding CVE-2026-39332.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.