CVE-2026-39338
Blind Reflected XSS in ChurchCRM Dashboard Causes Code Execution
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.0.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1004 | The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39338 is a Blind Reflected Cross-Site Scripting (XSS) vulnerability found in ChurchCRM versions prior to 7.1.0, specifically in the global search functionality on the dashboard.
The vulnerability occurs because the application fails to properly sanitize or encode user-supplied input in the searchTerm parameter before rendering it in the browser's Document Object Model (DOM).
Although the server returns an HTTP 500 error due to the malformed request caused by the injected payload, the browser's JavaScript engine still parses and executes the injected script tags before the error response is returned, resulting in successful code execution.
Additionally, the session cookie lacks the HttpOnly flag, allowing the injected malicious script to access and exfiltrate the administrator's session cookie via JavaScript.
Exploitation requires an attacker to deliver a crafted URL containing malicious script code to an authenticated administrator, who triggers the payload by visiting the URL or using the search bar.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to hijack administrator sessions and access sensitive data, including Personally Identifiable Information (PII) of church members, financial and donation records, and administrative controls.
Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal data confidentiality, integrity, and access.
Failure to properly sanitize input and secure session cookies increases the risk of data breaches, which can result in non-compliance with these standards and possible legal and financial consequences.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full administrator session hijacking without needing the administrator's credentials.
- Attackers can access and export all church member Personally Identifiable Information (PII).
- Attackers can view, modify, or delete financial and donation records.
- Attackers can create new administrative accounts to maintain persistent access.
- Attackers may pivot to other infrastructure if the CRM is networked.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the global search functionality on the ChurchCRM dashboard for improper input sanitization in the `searchTerm` parameter. Specifically, you can attempt to inject a script payload into the search parameter and observe if the injected JavaScript executes in the browser despite an HTTP 500 error response.
A practical detection method involves crafting a URL with a script payload in the `searchTerm` parameter and monitoring if the script executes or if any suspicious outbound requests are made from the browser.
Example command to test the vulnerability by sending a crafted request (replace [TARGET_IP] with your server IP):
- curl "http://[TARGET_IP]/churchcrm/PersonSearch.php?searchTerm=<script>alert('XSS')</script>" -i
If the alert box appears in the browser or if the injected script executes despite an HTTP 500 error, the vulnerability is present.
Additionally, monitoring network traffic for unexpected outbound HTTP requests from administrator browsers to unknown external servers (which could be exfiltration attempts) can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include upgrading ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, consider the following temporary mitigations:
- Restrict access to the ChurchCRM dashboard to trusted networks or VPNs to reduce exposure.
- Instruct administrators to avoid clicking on untrusted or suspicious URLs containing search parameters.
- Implement web application firewall (WAF) rules to detect and block requests containing suspicious script tags in the `searchTerm` parameter.
- Configure session cookies to include the HttpOnly flag to prevent client-side scripts from accessing session tokens.