CVE-2026-26059 identifies a cross-site scripting (XSS) vulnerability in ChurchCRM, an open-source church management system. The flaw exists in versions prior to 6.8.2 and stems from improper neutralization of input during web page generation, specifically when an authenticated user with group editing permissions injects JavaScript payloads into group data. When other users view the affected group in the Group View interface, the malicious script executes in their browsers. This vulnerability is classified under CWE-79, indicating improper input sanitization leading to client-side code execution. The attack vector requires authentication with group editing rights but no further privileges, and user interaction is needed to trigger the payload. The CVSS 4.0 score is 2.1, reflecting low severity due to limited impact and exploitation complexity. No known exploits are currently in the wild. The vulnerability could allow attackers to perform actions such as session hijacking, defacement, or phishing within the ChurchCRM application context. The issue was addressed in ChurchCRM version 6.8.2 by implementing proper input sanitization and output encoding to prevent script injection.

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript in the context of ChurchCRM users who view compromised group data. This can lead to session hijacking, unauthorized actions on behalf of users, or the theft of sensitive information accessible through the application interface. Although the vulnerability requires authenticated access with group editing permissions, the risk extends to all users who view the affected groups, potentially compromising their accounts or data integrity. For organizations relying on ChurchCRM for managing sensitive church member information, this could result in privacy breaches and erosion of trust. However, the low CVSS score and requirement for authentication limit the scope and ease of exploitation, reducing the overall risk. No widespread exploitation has been reported, but targeted attacks against specific organizations remain possible.

Organizations should immediately upgrade ChurchCRM to version 6.8.2 or later, where the vulnerability is fixed. Until upgrading, restrict group editing permissions strictly to trusted and trained personnel to minimize the risk of malicious payload injection. Implement additional input validation and output encoding at the application layer if possible, especially for user-generated content displayed in group views. Conduct regular audits of group data to detect suspicious scripts or anomalies. Educate users to be cautious when interacting with group data and report unusual behavior. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting ChurchCRM. Monitor logs for unusual activity related to group editing and viewing. Finally, maintain a robust patch management process to promptly apply security updates.