CVE-2026-39336
Received Received - Intake
Stored XSS in ChurchCRM Config Fields Allows Admin Abuse

Publication date: 2026-04-07

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39336
EUVD
EUVD-2026-19833
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is a stored cross-site scripting (XSS) issue that allows script execution in privileged admin sessions, potentially leading to unauthorized access to sensitive information.

Because the vulnerability can compromise confidentiality and integrity of data within the ChurchCRM system, it may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of personal and sensitive data.

Specifically, the high confidentiality and integrity impact indicated by the CVSS score suggests that personal data could be exposed or altered, which would violate data protection requirements under these regulations.

Executive Summary

CVE-2026-39336 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions prior to 7.1.0. It occurs because certain configuration values, which can be set by an authenticated admin, are stored and later rendered directly inside HTML attribute contexts without proper escaping. This improper handling allows malicious JavaScript code to be injected and executed when another admin views affected pages.

The vulnerability arises from a context mismatch where input filtering or sanitization is applied on write, but output is rendered in HTML attributes without appropriate attribute-safe encoding. This allows attackers to break out of HTML attributes and inject executable event handlers, such as using payloads like " autofocus onfocus=alert(document.cookie) x=", which can trigger script execution.

Affected areas include Directory Reports form fields, Person editor address fields, and external self-registration form defaults. Exploitation requires an authenticated admin to input malicious payloads into writable configuration fields, which then execute when viewed by other admins.

Impact Analysis

This vulnerability allows an attacker with admin privileges to inject malicious scripts that execute in the browsers of other admin users. This can lead to the theft of sensitive information such as session cookies, unauthorized actions performed on behalf of other admins, and potential compromise of the administrative interface.

Because the attack requires high privileges and user interaction (an admin viewing the affected pages), the risk is primarily an admin-to-admin attack vector. However, the impact on confidentiality and integrity is high, as attackers can hijack sessions or manipulate data within the system.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious stored cross-site scripting payloads in the configuration fields of ChurchCRM prior to version 7.1.0. Specifically, look for suspicious attribute-breaking payloads such as " autofocus onfocus=alert(document.cookie) x=" in configuration fields like Church Name, Street Address, City, State, Zip, Phone, or default state and city fields.

Detection involves inspecting the database or configuration files for these payloads and verifying if the application renders these values without proper escaping in the affected pages: DirectoryReports.php, PersonEditor.php, and family-register.php.

Suggested commands include querying the database for suspicious strings in configuration fields. For example, if using MySQL, you might run commands like:

  • SELECT * FROM system_config WHERE value LIKE '%onfocus=%';
  • SELECT * FROM system_config WHERE value LIKE '%autofocus%';

Additionally, manual testing by an authenticated admin can be performed by inputting known payloads into configuration fields and observing if the payload executes when visiting the affected pages.

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this stored cross-site scripting vulnerability has been fixed.

Until the upgrade can be performed, restrict administrative access to trusted users only, as the vulnerability requires high privileges and user interaction.

Avoid entering untrusted or suspicious input into configuration fields that are rendered in HTML attributes.

Consider reviewing and sanitizing existing configuration values to remove any malicious payloads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart