CVE-2026-39338
Received Received - Intake
Blind Reflected XSS in ChurchCRM Dashboard Causes Code Execution

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned β€” resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39338
EUVD
EUVD-2026-19837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.0.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to hijack administrator sessions and access sensitive data, including Personally Identifiable Information (PII) of church members, financial and donation records, and administrative controls.

Such unauthorized access and potential data exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal data confidentiality, integrity, and access.

Failure to properly sanitize input and secure session cookies increases the risk of data breaches, which can result in non-compliance with these standards and possible legal and financial consequences.

Executive Summary

CVE-2026-39338 is a Blind Reflected Cross-Site Scripting (XSS) vulnerability found in ChurchCRM versions prior to 7.1.0, specifically in the global search functionality on the dashboard.

The vulnerability occurs because the application fails to properly sanitize or encode user-supplied input in the searchTerm parameter before rendering it in the browser's Document Object Model (DOM).

Although the server returns an HTTP 500 error due to the malformed request caused by the injected payload, the browser's JavaScript engine still parses and executes the injected script tags before the error response is returned, resulting in successful code execution.

Additionally, the session cookie lacks the HttpOnly flag, allowing the injected malicious script to access and exfiltrate the administrator's session cookie via JavaScript.

Exploitation requires an attacker to deliver a crafted URL containing malicious script code to an authenticated administrator, who triggers the payload by visiting the URL or using the search bar.

Impact Analysis

This vulnerability can have severe impacts including full administrator session hijacking without needing the administrator's credentials.

  • Attackers can access and export all church member Personally Identifiable Information (PII).
  • Attackers can view, modify, or delete financial and donation records.
  • Attackers can create new administrative accounts to maintain persistent access.
  • Attackers may pivot to other infrastructure if the CRM is networked.
Detection Guidance

This vulnerability can be detected by testing the global search functionality on the ChurchCRM dashboard for improper input sanitization in the `searchTerm` parameter. Specifically, you can attempt to inject a script payload into the search parameter and observe if the injected JavaScript executes in the browser despite an HTTP 500 error response.

A practical detection method involves crafting a URL with a script payload in the `searchTerm` parameter and monitoring if the script executes or if any suspicious outbound requests are made from the browser.

Example command to test the vulnerability by sending a crafted request (replace [TARGET_IP] with your server IP):

  • curl "http://[TARGET_IP]/churchcrm/PersonSearch.php?searchTerm=<script>alert('XSS')</script>" -i

If the alert box appears in the browser or if the injected script executes despite an HTTP 500 error, the vulnerability is present.

Additionally, monitoring network traffic for unexpected outbound HTTP requests from administrator browsers to unknown external servers (which could be exfiltration attempts) can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation steps include upgrading ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, consider the following temporary mitigations:

  • Restrict access to the ChurchCRM dashboard to trusted networks or VPNs to reduce exposure.
  • Instruct administrators to avoid clicking on untrusted or suspicious URLs containing search parameters.
  • Implement web application firewall (WAF) rules to detect and block requests containing suspicious script tags in the `searchTerm` parameter.
  • Configure session cookies to include the HttpOnly flag to prevent client-side scripts from accessing session tokens.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart