プラットフォーム
php
コンポーネント
churchcrm
修正版
7.1.1
CVE-2026-39333 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM. This flaw allows an authenticated attacker to inject malicious JavaScript code into HTML attributes within the FindFundRaiser.php endpoint. The vulnerability affects versions 0.0.0 through 7.0 of ChurchCRM and is resolved in version 7.1.0 through a proper output encoding fix.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing specially crafted DateStart and DateEnd parameters. When another authenticated user visits this URL, the injected JavaScript code will execute in their browser context. This could lead to session hijacking, defacement of the ChurchCRM interface, or the theft of sensitive information, such as user credentials or financial data. The attacker needs to be authenticated within the ChurchCRM system to exploit this vulnerability, but the impact can be significant once the malicious script executes.
This vulnerability was publicly disclosed on 2026-04-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. While no active exploitation has been reported, the ease of exploitation and the potential impact warrant prompt remediation.
Organizations and individuals using ChurchCRM versions 0.0.0 through 7.0, particularly those with limited security expertise or those who do not regularly update their software, are at significant risk. Shared hosting environments where multiple ChurchCRM instances reside are also at increased risk, as a compromise of one instance could potentially impact others.
• php: Examine ChurchCRM logs for unusual activity related to the FindFundRaiser.php endpoint, specifically looking for requests containing suspicious characters in the DateStart and DateEnd parameters.
• generic web: Use curl to test the FindFundRaiser.php endpoint with various payloads in the DateStart and DateEnd parameters. Example:
curl 'http://churchcrm/FindFundRaiser.php?DateStart=<script>alert("XSS")</script>&DateEnd=2024-12-31'• generic web: Review access logs for requests to FindFundRaiser.php containing unusual characters or patterns in the DateStart and DateEnd parameters. Look for patterns indicative of XSS attempts.
disclosure
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-39333 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary output encoding fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests to the FindFundRaiser.php endpoint that contain suspicious characters in the DateStart and DateEnd parameters. Additionally, carefully review and sanitize all user-supplied input before rendering it in HTML attributes. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the DateStart or DateEnd parameters of the FindFundRaiser.php endpoint and verifying that it does not execute.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta versión corrige el problema de codificación de salida en los parámetros DateStart y DateEnd del endpoint FindFundRaiser.php, evitando la ejecución de código JavaScript malicioso.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-39333 is a reflected XSS vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject JavaScript via the DateStart and DateEnd parameters in FindFundRaiser.php.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to mitigate the risk.
Upgrade ChurchCRM to version 7.1.0 or later. As a temporary workaround, implement a WAF rule to filter suspicious requests to FindFundRaiser.php.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-39333.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。