Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0.

INFO

Published Date :

2026-04-07T17:32:41.364Z

Last Modified :

2026-04-09T15:50:07.852Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-39328 vulnerability.

Vendors Products
Churchcrm
  • Churchcrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39328.

URL Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcp5-pwvj-v7xm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact