CVE-2026-39333 - Vulnerability Details

- ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.

Published: 2026-04-07

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a malicious actor who possesses legitimate user credentials to create a specially crafted URL that injects arbitrary JavaScript into an HTML input field attribute on the FindFundRaiser.php page. When the target authenticated user visits the URL, the injected code runs in the browser’s context. This can lead to session hijacking, theft of credentials, or further malicious actions performed with the victim’s privileges.

Affected Systems

ChurchCRM, a public‑source church management system, is affected in all releases older than version 7.1.0. The flaw is confined to the FindFundRaiser.php endpoint and requires that the attacker be authenticated to an account within the system.

Risk and Exploitability

The CVSS score of 8.7 reflects a high impact, while the EPSS score of less than 1% indicates that the vulnerability is currently low probability of exploitation. Because the bug requires authenticated access, the attacker must either compromise user credentials or compromise an already authenticated session, limiting the threat to internal users or attackers who can gain credentials. The vulnerability is not listed in the CISA KEV catalog, and there is no publicly available exploit, though the attack path is straightforward via a user‑directed URL.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ChurchCRM

CRM

affected

Version	Status	Constraints
`< 7.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Churchcrm

81%

Version	Status	Scheme	Platform
`[0,7.1.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to ChurchCRM version 7.1.0 or later, which removes the reflected XSS flaw in DateStart and DateEnd input handling.
If an update cannot be applied immediately, ensure that FindFundRaiser.php is protected so that only users with minimal privileges can access it, or temporarily block the endpoint from public access while monitoring for suspicious traffic.

Generated by OpenCVE AI on April 10, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5

History

Fri, 10 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:churchcrm:churchcrm::::::::

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Churchcrm Churchcrm churchcrm
Vendors & Products		Churchcrm Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.
Title		ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php
Weaknesses		CWE-79
References		https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Churchcrm Churchcrm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T17:38:02.576Z

Updated: 2026-04-07T19:59:17.229Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39333

Vulnrichment

Updated: 2026-04-07T19:13:21.634Z

NVD

Status : Analyzed

Published: 2026-04-07T18:16:44.997

Modified: 2026-04-10T20:57:56.703

Link: CVE-2026-39333

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T14:26:33Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object