CVE-2026-32880

Description

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 7.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

{
  "SystemSettingName": "<script>alert('XSS via ChurchCRM JSON Settings');</script>",
  "description": "Payload to be stored in JSON system settings"
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32880
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32880
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32880/
[4] VulDB https://vuldb.com/cve/CVE-2026-32880
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c
[6] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32880", "sourceIdentifier": "[email protected]", "published": "2026-03-20T02:16:36.067", "lastModified": "2026-03-23T15:29:56.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2."}, {"lang": "es", "value": "ChurchCRM es un sistema de gestión de iglesias de código abierto. Las versiones anteriores a la 7.0.2 permiten a un usuario administrador editar la configuración del sistema de tipo JSON para almacenar una carga útil de JavaScript que puede ejecutarse cuando cualquier administrador ve la configuración del sistema. La entrada JSON se deja sin escapar/sanear en SystemSettings.PHP, lo que lleva a XSS. Este problema ha sido solucionado en la versión 7.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.2", "matchCriteriaId": "836ADAC7-F783-494E-8050-B7D4DB6AC05C"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}