Vulnerability Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Churchcrm | Churchcrm | < 7.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-rx8c-j7x8-w3hjThird Party Advisory
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-rx8c-j7x8-w3hjThird Party Advisory
FAQ
What is CVE-2026-39344?
CVE-2026-39344 is a vulnerability with a CVSS score of 8.1 (HIGH). ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or en...
How severe is CVE-2026-39344?
CVE-2026-39344 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39344?
Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.