CVE-2026-24855 is a stored Cross-Site Scripting (XSS) vulnerability identified in ChurchCRM, an open-source church management system. The vulnerability exists in versions prior to 6.7.2 within the Create Events functionality of the Church Calendar module. Specifically, the Description field does not properly neutralize user input, allowing an attacker with low-level privileges to inject malicious JavaScript payloads. These payloads are stored persistently in the backend database. When other users, including administrators, access the affected event, the malicious script executes in their browsers. This can lead to session hijacking, credential theft, or full account takeover, compromising confidentiality and integrity of user accounts. The vulnerability is classified under CWE-79, indicating improper input sanitization during web page generation. The CVSS 4.0 base score is 7.2, reflecting network attack vector, low attack complexity, no privileges required beyond low-level user access, and no user interaction needed beyond viewing the event. The scope is high as it affects multiple users and can escalate privileges. Although no public exploits have been reported, the vulnerability is critical for organizations relying on ChurchCRM for sensitive data management. The fix is available in version 6.7.2, which properly sanitizes input to prevent script injection.

For European organizations using ChurchCRM, this vulnerability poses a significant risk to user account security and data confidentiality. Religious institutions and community organizations often store sensitive personal information about members, including contact details and event participation. Exploitation could lead to unauthorized access to administrative accounts, enabling attackers to manipulate data, disrupt operations, or exfiltrate sensitive information. The stored XSS nature means that multiple users can be affected once the malicious payload is injected, increasing the attack surface. Additionally, compromised admin accounts could facilitate further attacks within the organization’s network. The impact extends beyond data loss to reputational damage and potential legal consequences under GDPR if personal data is exposed. Given the ease of exploitation by low-privileged users and the lack of required user interaction beyond viewing events, the threat is substantial for organizations that have not updated to the patched version.

European organizations should immediately upgrade ChurchCRM installations to version 6.7.2 or later, where the vulnerability is patched. Until upgrade is possible, implement strict input validation and sanitization on the Description field at the application or web server level to block script tags and suspicious payloads. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS payloads. Limit the ability of low-privileged users to create or edit events if feasible, or restrict event visibility to trusted users only. Conduct regular security audits and penetration testing focused on web application input handling. Educate users, especially administrators, about the risks of clicking on suspicious links or viewing untrusted content within the CRM. Monitor logs for unusual activity related to event creation or access. Finally, ensure robust backup and incident response plans are in place to quickly recover from any compromise.