Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Client-side script execution (Reflected XSS)
Action: Patch
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists on the login page of ChurchCRM versions prior to 7.1.0. The username query string is rendered directly into the input field without sanitization, allowing an attacker to inject JavaScript that will execute in the victim’s browser when the crafted URL is visited. The script can steal session cookies or redirect the user, compromising user session confidentiality and availability.

Affected Systems

The flaw affects the open‑source ChurchCRM management system, specifically its login page component. All installations running a version before 7.1.0 are vulnerable. The product is commonly used by churches for member management.

Risk and Exploitability

The high CVSS score of 8.1 reflects the severity of this client‑side vulnerability. While the probability assessment shows a low likelihood of exploitation at present, the attack is straightforward and requires no authentication; any user who opens the malicious link could be affected. The vulnerability is not listed in the known exploits catalog yet, but its impact and accessibility warrant timely remediation.

Generated by OpenCVE AI on April 9, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later.

Generated by OpenCVE AI on April 9, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.
Title Reflected XSS the login page through the 'username' parameter
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_0

{'score': 8.1, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:45:18.870Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39344

cve-icon Vulnrichment

Updated: 2026-04-08T18:45:02.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:46.587

Modified: 2026-04-09T18:42:28.200

Link: CVE-2026-39344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:19Z

Weaknesses