Stored Cross-Site Scripting in ChurchCRM Affects User Profiles
CVE-2026-39328

8.9HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39328?

ChurchCRM, an open-source church management system, has a stored cross-site scripting vulnerability in its person profile editing feature. This issue allows non-administrative users with the EditSelf permission to inject malicious JavaScript into their social media profile fields—specifically Facebook, LinkedIn, and X. The vulnerability exploits a 50-character limit, distributing payloads across the three fields and chaining their onfocus event handlers. This means when other users, including administrators, view the compromised profile, their session cookies could be sent to a remote server. The issue has been addressed in version 7.1.0.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39328 Data

JSON

Churchcrm

What is CVE-2026-39328?

Affected Version(s)

References

CVSS V3.1

Timeline