Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned — resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind XSS enabling administrative cookie session exfiltration
Action: Patch Now
AI Analysis

Impact

ChurchCRM, before version 7.1.0, contains a blind reflected cross‑site scripting flaw in the dashboard search input. The application does not sanitize or encode user‑supplied data before inserting it into the DOM. When a malicious payload is supplied, the server returns an HTTP 500 error, but the browser's JavaScript engine parses the injected <script> tags before the error response returns, allowing arbitrary code to run in the victim's browser. Because the code executes in the context of the logged‑in administrator, scripts can read cookies and other session tokens, leading to credential theft and potential full administrative takeover.

Affected Systems

Vendor: ChurchCRM. Product: ChurchCRM CRM. Version: Prior to 7.1.0. No other version data is listed.

Risk and Exploitability

CVSS score is 8.6, indicating a high severity. The EPSS score is not available. It is not listed in KEV. The vulnerability can be exploited by sending a crafted search query containing a malicious script via the web interface. The attacker does not need special privileges and only requires that a victim with administrative access visits the injected link. If successful, arbitrary JavaScript runs with the administrator's privileges, enabling cookie theft, session hijacking, or further payload execution. Because it is a blind XSS, impact is not immediately visible to the victim, reducing detection chances.

Generated by OpenCVE AI on April 7, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later.
  • Verify that the search input now sanitizes and encodes user data; test by attempting a script injection.
  • As an interim measure, disable or restrict global search functionality for administrators, or implement additional input validation on the search field.
  • Monitor server logs for anomalous searches and monitor administrators' sessions for suspicious activity.

Generated by OpenCVE AI on April 7, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned — resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:57:12.789Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39338

cve-icon Vulnrichment

Updated: 2026-04-09T15:53:54.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:45.753

Modified: 2026-04-15T20:15:01.983

Link: CVE-2026-39338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:22Z

Weaknesses