CVE-2026-39328
Stored XSS in ChurchCRM Profile Editing Allows Session Hijacking
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows low-privilege users to inject malicious JavaScript into profile fields, which can exfiltrate session cookies of any user viewing the compromised profile, including administrators. This leads to session hijacking and potential unauthorized administrative actions.
Such unauthorized access and potential data exposure could violate common standards and regulations like GDPR and HIPAA, which require protection of user data and prevention of unauthorized access.
Specifically, the exposure of session cookies and the ability to hijack sessions may lead to breaches of confidentiality and integrity of personal data, which are critical compliance requirements under these regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, consider restricting the EditSelf permission to trusted users only, as this permission allows injection of malicious scripts.
Additionally, monitor user profile fields for suspicious input and avoid viewing profiles of untrusted users to reduce risk of session cookie exfiltration.
Can you explain this vulnerability to me?
CVE-2026-39328 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions up to 7.0.5, fixed in version 7.1.0. It exists in the person profile editing feature, specifically in the social media profile fields for Facebook, LinkedIn, and X (formerly Twitter). Non-administrative users with the EditSelf permission can inject malicious JavaScript into these fields.
Because each field has a 50-character limit, attackers split their malicious payload across all three fields, chaining their onfocus event handlers to execute sequentially. The vulnerability arises because these fields are stored in the database and rendered on profile pages without proper HTML attribute escaping. Although the sanitizeText() function removes HTML tags, it fails to escape quote characters, allowing attackers to break out of attribute boundaries and inject event handlers that trigger immediate script execution.
When any user, including administrators, views the attacker's profile, the injected script executes and exfiltrates their session cookies to a remote server.
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, where an attacker steals the session cookies of any user who views the compromised profile, including administrators.
With stolen session cookies, attackers can potentially escalate privileges and perform unauthorized administrative actions within ChurchCRM.
All users who view the attacker's profile are at risk, making the impact widespread within the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the social media profile fields (Facebook, LinkedIn, and X) in ChurchCRM user profiles for injected JavaScript payloads, especially those containing event handlers like autofocus or onfocus.
A proof of concept payload includes strings such as `autofocus onfocus=alert(1337) x=` distributed across these fields.
To detect exploitation attempts on your system, you can monitor HTTP requests and responses for unusual JavaScript code in these profile fields or look for outgoing network requests that exfiltrate session cookies.
Specific commands are not provided in the resources, but general approaches include:
- Using web application scanners or manual inspection to review profile fields for suspicious event handler attributes.
- Monitoring web server logs for unusual payload patterns or encoded JavaScript in profile update requests.
- Using network monitoring tools (e.g., tcpdump, Wireshark) to detect outbound requests that may be exfiltrating cookies.