Executive Summary

CVE-2026-24855 is a stored Cross-Site Scripting (XSS) vulnerability in the ChurchCRM application, specifically in the Create Events feature of the Calendar module. Low-privilege users can inject malicious scripts into the Description field of calendar events. These scripts are stored in the database and executed when other users, including administrators, view the event. This can lead to session hijacking and account takeover. The vulnerability arises because user input is not properly sanitized before being stored and rendered. The fix involves sanitizing the Title, Description, and Text fields during event creation and updates to prevent malicious scripts from being saved and executed. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session hijacking and account takeover by allowing attackers to execute malicious scripts in the browsers of other users, including administrators. Attackers can steal session cookies and escalate privileges, potentially gaining full control over the application. It can also result in data exposure, data integrity loss (such as modifying user data or settings), and broader compromise scenarios when combined with other attacks like CSRF bypasses or OAuth token theft. [1, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting calendar events for malicious scripts in the Description (Desc) field, especially those created by low-privilege users. Since the payload is stored in the database and executed when viewed, you can query the database for suspicious HTML or script tags in the Description field of calendar events. Additionally, intercepting and analyzing HTTP requests to the event creation API for injected scripts using tools like Burp Suite can help detect exploitation attempts. Specific commands depend on your database and environment, but for example, in SQL you might run a query like: SELECT * FROM events WHERE description LIKE '%<script%' OR description LIKE '%onerror=%' OR description LIKE '%fetch(%'; to find suspicious entries. Monitoring web server logs for unusual requests to the calendar event creation endpoints or unusual payloads can also help detect attempts. [3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading ChurchCRM to version 6.7.2 or later, where the vulnerability is fixed by sanitizing user inputs in the calendar event creation and update functions. If upgrading is not immediately possible, implement server-side input sanitization and output encoding for the Description, Title, and Text fields in calendar events to prevent stored XSS payloads. Use centralized escaping libraries or templating engines to ensure all rendered fields are properly escaped. Additionally, restrict low-privilege users from creating calendar events until the fix is applied, and monitor for suspicious activity. Applying the patch that sanitizes inputs using InputUtils::sanitizeText() and InputUtils::sanitizeHTML() as described in the commits will prevent malicious scripts from being stored and executed. [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to perform stored Cross-Site Scripting (XSS) attacks that can lead to session hijacking, account takeover, and potentially unauthorized access to sensitive user data. Such unauthorized access and data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring system security to prevent data breaches. Therefore, this vulnerability poses a risk to compliance with these standards by enabling attackers to compromise user accounts and potentially access or manipulate protected data. [3]

Useful 0 Not Useful 0