Description
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
Published: 2026-02-19
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in Group Editor
Action: Update
AI Analysis

Impact

ChurchCRM versions earlier than 6.8.2 allow an authenticated user with group edit rights to inject and persist JavaScript code in group records. When a group is viewed, the stored script executes in the browser of anyone who opens the group page. This stored cross‑site scripting flaw can lead to session hijacking, credential theft, or defacement of the interface, compromising the confidentiality and integrity of user data.

Affected Systems

The affected product is the ChurchCRM community edition. Every installation running a version prior to 6.8.2 is vulnerable. The issue is fixed in release 6.8.2 and later.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity, and the EPSS score below 1% suggests a low probability of exploitation at this time. The vulnerability requires the attacker to be authenticated and to possess edit permissions for groups, which is a relatively narrow target set. Because there is no public exploit or evidence in the KEV catalog, the risk is considered low, but administrators should still remediate promptly.

Generated by OpenCVE AI on April 17, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 6.8.2 or later.
  • If an immediate upgrade is not possible, limit group‑editing permissions to trusted users only and monitor group‑edit logs for suspicious activity.
  • Implement a Content Security Policy that disallows inline scripts on group view pages to mitigate any residual XSS impact.

Generated by OpenCVE AI on April 17, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
Title ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:23:56.193Z

Reserved: 2026-02-10T18:01:31.899Z

Link: CVE-2026-26059

cve-icon Vulnrichment

Updated: 2026-02-19T20:58:50.433Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T19:22:29.693

Modified: 2026-02-20T19:07:03.730

Link: CVE-2026-26059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses