CVE-2026-32880

ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php

Description

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.

INFO

Published Date :

2026-03-20T01:04:08.408Z

Last Modified :

2026-03-20T14:41:30.274Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-32880 vulnerability.

Vendors	Products
Churchcrm	Churchcrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32880.

URL	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact