PT-2026-30967 · Churchcrm · Churchcrm
Pikpikcu
+1
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-39344
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
ChurchCRM versions prior to 7.1.0
Description
ChurchCRM, an open-source church management system, has a Reflected Cross-Site Scripting (XSS) issue on the login page. This is due to insufficient sanitization or encoding of the
username parameter received from the URL. The value of the username parameter is directly displayed in the login page input element without filtering, enabling attackers to inject malicious JavaScript scripts. Successful exploitation can lead to the execution of scripts on the client side, potentially compromising sensitive data like session cookies or redirecting users to a malicious login form.Recommendations
Update to version 7.1.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Churchcrm