CVE-2026-39336
Stored XSS in ChurchCRM Config Fields Allows Admin Abuse
Publication date: 2026-04-07
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored cross-site scripting (XSS) issue that allows script execution in privileged admin sessions, potentially leading to unauthorized access to sensitive information.
Because the vulnerability can compromise confidentiality and integrity of data within the ChurchCRM system, it may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of personal and sensitive data.
Specifically, the high confidentiality and integrity impact indicated by the CVSS score suggests that personal data could be exposed or altered, which would violate data protection requirements under these regulations.
Can you explain this vulnerability to me?
CVE-2026-39336 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.1.0. It occurs because certain configuration values, which can be set by an authenticated admin, are stored and later rendered directly inside HTML attribute contexts without proper escaping. This improper handling allows malicious JavaScript code to be injected and executed when another admin views affected pages.
The vulnerability arises from a context mismatch where input filtering or sanitization is applied on write, but output is rendered in HTML attributes without appropriate attribute-safe encoding. This allows attackers to break out of HTML attributes and inject executable event handlers, such as using payloads like " autofocus onfocus=alert(document.cookie) x=", which can trigger script execution.
Affected areas include Directory Reports form fields, Person editor address fields, and external self-registration form defaults. Exploitation requires an authenticated admin to input malicious payloads into writable configuration fields, which then execute when viewed by other admins.
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin privileges to inject malicious scripts that execute in the browsers of other admin users. This can lead to the theft of sensitive information such as session cookies, unauthorized actions performed on behalf of other admins, and potential compromise of the administrative interface.
Because the attack requires high privileges and user interaction (an admin viewing the affected pages), the risk is primarily an admin-to-admin attack vector. However, the impact on confidentiality and integrity is high, as attackers can hijack sessions or manipulate data within the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious stored cross-site scripting payloads in the configuration fields of ChurchCRM prior to version 7.1.0. Specifically, look for suspicious attribute-breaking payloads such as " autofocus onfocus=alert(document.cookie) x=" in configuration fields like Church Name, Street Address, City, State, Zip, Phone, or default state and city fields.
Detection involves inspecting the database or configuration files for these payloads and verifying if the application renders these values without proper escaping in the affected pages: DirectoryReports.php, PersonEditor.php, and family-register.php.
Suggested commands include querying the database for suspicious strings in configuration fields. For example, if using MySQL, you might run commands like:
- SELECT * FROM system_config WHERE value LIKE '%onfocus=%';
- SELECT * FROM system_config WHERE value LIKE '%autofocus%';
Additionally, manual testing by an authenticated admin can be performed by inputting known payloads into configuration fields and observing if the payload executes when visiting the affected pages.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this stored cross-site scripting vulnerability has been fixed.
Until the upgrade can be performed, restrict administrative access to trusted users only, as the vulnerability requires high privileges and user interaction.
Avoid entering untrusted or suspicious input into configuration fields that are rendered in HTML attributes.
Consider reviewing and sanitizing existing configuration values to remove any malicious payloads.