Cross-Site Scripting Vulnerability in ChurchCRM by ChurchCRM
CVE-2026-58411

7HIGH

Key Information:

Vendor

Churchcrm

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-58411?

ChurchCRM, an open-source church management system, is susceptible to Cross-Site Scripting (XSS) vulnerabilities prior to version 7.4.0. This flaw arises from inadequate output encoding for user-controlled input, allowing attackers to inject malicious scripts into JavaScript contexts and HTML attributes. Key affected endpoints include /FamilyCustomFieldsEditor.php and /admin/system/church-info. Exploiting this vulnerability could enable session-token theft, unauthorized account access, and unauthorized actions on behalf of authenticated users. Additionally, sensitive church member information may be exposed, leading to potential credential harvesting and phishing attacks, especially against administrative accounts. Users are encouraged to upgrade to version 7.4.0, where this issue has been addressed.

Affected Version(s)

CRM < 7.4.0

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.