CVE-2026-39344
Received Received - Intake
Reflected XSS in ChurchCRM Login Page Allows Data Theft

Publication date: 2026-04-07

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39344
EUVD
EUVD-2026-19849
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability in the ChurchCRM application affecting the login page. It occurs because the 'username' parameter from the URL is directly inserted into the login page's username input field without any sanitization or encoding.

This lack of filtering allows attackers to inject malicious JavaScript code that executes in the victim's browser when they visit the crafted URL.

For example, an attacker can craft a URL with a script tag in the username parameter that triggers an alert or loads an external malicious script.

Impact Analysis

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim's browser.

  • Steal sensitive information such as session cookies, which can lead to session hijacking.
  • Manipulate the login page display to show a fake login form, potentially capturing user credentials.

The vulnerability has a high severity rating with a CVSS v3 base score of 8.1, indicating significant risk.

Detection Guidance

This vulnerability can be detected by testing the login page of ChurchCRM for reflected Cross-Site Scripting (XSS) via the 'username' URL parameter.

A simple detection method is to craft a URL with a script injection payload in the username parameter and observe if the script executes in the browser.

  • Example test URL: https://your-churchcrm-domain/session/begin?username=\"><script>alert(1)</script>

If the alert box appears when visiting this URL, the vulnerability is present.

For automated scanning, tools like OWASP ZAP or Burp Suite can be used to scan the login page for reflected XSS vulnerabilities by injecting payloads into the username parameter.

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, consider implementing web application firewall (WAF) rules to block requests containing suspicious script tags in the username parameter.

Additionally, educate users to avoid clicking on suspicious links that include crafted username parameters.

Long-term mitigation involves ensuring proper input sanitization and output encoding in the application code to prevent script injection.

Compliance Impact

The Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM allows attackers to execute arbitrary JavaScript in the victim's browser, potentially stealing sensitive data such as session cookies and capturing credentials.

Such unauthorized access to sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.

Therefore, this vulnerability poses a risk to compliance with these standards by exposing user data to theft and misuse if exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39344. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart