Reflected XSS Vulnerability in ChurchCRM Open-Source Church Management System
CVE-2026-39333

8.7HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39333?

ChurchCRM, an open-source church management system, contains a reflected XSS vulnerability in the FindFundRaiser.php endpoint. This flaw allows an authenticated attacker to manipulate input parameters, specifically DateStart and DateEnd, which are then reflected in HTML input fields without adequate encoding. This oversight could enable the execution of arbitrary JavaScript when other authenticated users access the crafted URL, potentially leading to serious security risks. The issue has been addressed and resolved in version 7.1.0.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39333 Data

JSON

Churchcrm

What is CVE-2026-39333?

Affected Version(s)

References

CVSS V3.1

Timeline