Cross-Site Scripting Vulnerability in ChurchCRM by ChurchCRM
CVE-2026-58411
What is CVE-2026-58411?
ChurchCRM, an open-source church management system, is susceptible to Cross-Site Scripting (XSS) vulnerabilities prior to version 7.4.0. This flaw arises from inadequate output encoding for user-controlled input, allowing attackers to inject malicious scripts into JavaScript contexts and HTML attributes. Key affected endpoints include /FamilyCustomFieldsEditor.php and /admin/system/church-info. Exploiting this vulnerability could enable session-token theft, unauthorized account access, and unauthorized actions on behalf of authenticated users. Additionally, sensitive church member information may be exposed, leading to potential credential harvesting and phishing attacks, especially against administrative accounts. Users are encouraged to upgrade to version 7.4.0, where this issue has been addressed.
Affected Version(s)
CRM < 7.4.0
