Platform
php
Component
churchcrm
Fixed in
7.1.1
CVE-2026-39333 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM. This flaw allows an authenticated attacker to inject malicious JavaScript code into HTML attributes within the FindFundRaiser.php endpoint. The vulnerability affects versions 0.0.0 through 7.0 of ChurchCRM and is resolved in version 7.1.0 through a proper output encoding fix.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing specially crafted DateStart and DateEnd parameters. When another authenticated user visits this URL, the injected JavaScript code will execute in their browser context. This could lead to session hijacking, defacement of the ChurchCRM interface, or the theft of sensitive information, such as user credentials or financial data. The attacker needs to be authenticated within the ChurchCRM system to exploit this vulnerability, but the impact can be significant once the malicious script executes.
This vulnerability was publicly disclosed on 2026-04-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. While no active exploitation has been reported, the ease of exploitation and the potential impact warrant prompt remediation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39333 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary output encoding fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests to the FindFundRaiser.php endpoint that contain suspicious characters in the DateStart and DateEnd parameters. Additionally, carefully review and sanitize all user-supplied input before rendering it in HTML attributes. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the DateStart or DateEnd parameters of the FindFundRaiser.php endpoint and verifying that it does not execute.
Update ChurchCRM to version 7.1.0 or later to mitigate the XSS (Cross-Site Scripting) vulnerability. This version corrects the output encoding issue in the DateStart and DateEnd parameters of the FindFundRaiser.php endpoint, preventing the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39333 is a reflected XSS vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject JavaScript via the DateStart and DateEnd parameters in FindFundRaiser.php.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to mitigate the risk.
Upgrade ChurchCRM to version 7.1.0 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests to FindFundRaiser.php.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-39333.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.