CVE-2026-39344
Reflected XSS in ChurchCRM Login Page Allows Data Theft
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM allows attackers to execute arbitrary JavaScript in the victim's browser, potentially stealing sensitive data such as session cookies and capturing credentials.
Such unauthorized access to sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.
Therefore, this vulnerability poses a risk to compliance with these standards by exposing user data to theft and misuse if exploited.
Can you explain this vulnerability to me?
CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability in the ChurchCRM application affecting the login page. It occurs because the 'username' parameter from the URL is directly inserted into the login page's username input field without any sanitization or encoding.
This lack of filtering allows attackers to inject malicious JavaScript code that executes in the victim's browser when they visit the crafted URL.
For example, an attacker can craft a URL with a script tag in the username parameter that triggers an alert or loads an external malicious script.
How can this vulnerability impact me? :
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim's browser.
- Steal sensitive information such as session cookies, which can lead to session hijacking.
- Manipulate the login page display to show a fake login form, potentially capturing user credentials.
The vulnerability has a high severity rating with a CVSS v3 base score of 8.1, indicating significant risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the login page of ChurchCRM for reflected Cross-Site Scripting (XSS) via the 'username' URL parameter.
A simple detection method is to craft a URL with a script injection payload in the username parameter and observe if the script executes in the browser.
- Example test URL: https://your-churchcrm-domain/session/begin?username=\"><script>alert(1)</script>
If the alert box appears when visiting this URL, the vulnerability is present.
For automated scanning, tools like OWASP ZAP or Burp Suite can be used to scan the login page for reflected XSS vulnerabilities by injecting payloads into the username parameter.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability has been fixed.
If upgrading is not immediately possible, consider implementing web application firewall (WAF) rules to block requests containing suspicious script tags in the username parameter.
Additionally, educate users to avoid clicking on suspicious links that include crafted username parameters.
Long-term mitigation involves ensuring proper input sanitization and output encoding in the application code to prevent script injection.