Home / Vulnerability Intelligence / CVE-2026-39335

CVE-2026-39335 - Vulnerability Analysis

MediumCVSS: 6.1

Last Updated: April 9, 2026

ChurchCRM - Stored XSS

Published: April 7, 2026Updated: April 9, 2026PoC AvailableRemote Exploitable

Overview

ChurchCRM < 7.1.1 contains a stored XSS caused by improper sanitization in group remove control and family editor state/country fields, letting admin users execute scripts, exploit requires admin privileges.

Severity & Score

Severity: Medium

CVSS Score: 6.1

Impact

Admin attackers can execute persistent scripts, potentially leading to session hijacking or admin account compromise.

Mitigation

Upgrade to version 7.1.1 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-39335
Severity: Medium
CVSS Score: 6.1
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N