Platform
php
Component
churchcrm
Opgelost in
7.1.1
CVE-2026-39344 describes a Reflected Cross-Site Scripting (XSS) vulnerability found in ChurchCRM versions prior to 7.1.0. This vulnerability allows attackers to inject malicious JavaScript code into the login page via the username parameter in the URL. Successful exploitation could result in the theft of sensitive user data, such as session cookies, or the presentation of a fake login form to harvest credentials.
The impact of this XSS vulnerability is significant, as it can be exploited to compromise user accounts and potentially gain control of the ChurchCRM application. An attacker could craft a malicious URL containing JavaScript code and send it to a ChurchCRM user. When the user clicks the link, the JavaScript code will execute in their browser, allowing the attacker to steal their session cookie and impersonate them. Alternatively, the attacker could inject JavaScript code that replaces the legitimate login form with a fake one, tricking users into entering their credentials, which are then sent to the attacker. This could lead to unauthorized access to sensitive church data, including member information, financial records, and event details.
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting ChurchCRM. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation of reflected XSS vulnerabilities. The vulnerability is not currently listed on the CISA KEV catalog.
Churches and organizations utilizing ChurchCRM versions 0.0.0 through 7.0 are at risk. This includes deployments with limited security expertise and those relying on default configurations. Shared hosting environments where multiple ChurchCRM instances reside on the same server are particularly vulnerable, as a successful attack on one instance could potentially compromise others.
• php: Examine ChurchCRM application logs for suspicious URL parameters containing JavaScript code in the username field. Use grep to search for patterns like <script> or alert() within the logs.
grep -i '<script>.*alert\(.*\)' /var/log/apache2/access.log• generic web: Monitor access logs for requests to the login page with unusual or excessively long username parameters. Use curl to test the login page with a simple XSS payload and observe the response.
curl 'http://churchcrm.example.com/login.php?username=<script>alert("XSS")</script>' -sdisclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-39344 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary sanitization and encoding of the username parameter. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious JavaScript code in the username parameter. Additionally, carefully review and sanitize all user inputs within the ChurchCRM application to prevent similar vulnerabilities from arising. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the username parameter of the login URL and confirming that it is not executed.
Actualice a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la falta de sanitización o codificación del parámetro 'username' en la página de inicio de sesión, evitando la inyección de scripts maliciosos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject malicious JavaScript into the login page.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to resolve the vulnerability.
Upgrade ChurchCRM to version 7.1.0 or later. Consider implementing a WAF rule to filter malicious JavaScript in the username parameter as a temporary mitigation.
There is currently no indication of active exploitation campaigns, but public proof-of-concept code is likely to emerge.
Refer to the ChurchCRM website and security advisories for the official announcement and details regarding this vulnerability.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.