CVE-2026-39344: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in ChurchCRM CRM
A reflected Cross-Site Scripting (XSS) vulnerability exists in ChurchCRM versions prior to 7. 1. 0 on the login page. The vulnerability arises because the username parameter from the URL is not sanitized or encoded before being displayed in the login input field. This allows attackers to inject malicious JavaScript that executes in the victim's browser, potentially leading to theft of session cookies or manipulation of the login page display. The issue is fixed in version 7. 1. 0.
AI Analysis
Technical Summary
ChurchCRM, an open-source church management system, had a reflected XSS vulnerability (CVE-2026-39344) in versions before 7.1.0. The vulnerability is due to improper neutralization of script-related HTML tags (CWE-80) and improper input sanitization (CWE-79) on the login page's username parameter. This parameter is directly reflected in the HTML input element without filtering, enabling attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability has a CVSS 3.0 score of 8.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts confidentiality and integrity but not availability. The vulnerability is resolved in ChurchCRM version 7.1.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when visiting the login page with a crafted URL. This can lead to theft of sensitive information such as session cookies and manipulation of the login interface, potentially facilitating further attacks or credential theft. The vulnerability affects confidentiality and integrity but does not impact availability.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.1.0. Users and administrators should upgrade to version 7.1.0 or later to remediate this issue. Since this is not a cloud service, patching the affected software is required. Patch status is confirmed by the vendor advisory stating the fix is included in version 7.1.0.
CVE-2026-39344: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in ChurchCRM CRM
Description
A reflected Cross-Site Scripting (XSS) vulnerability exists in ChurchCRM versions prior to 7. 1. 0 on the login page. The vulnerability arises because the username parameter from the URL is not sanitized or encoded before being displayed in the login input field. This allows attackers to inject malicious JavaScript that executes in the victim's browser, potentially leading to theft of session cookies or manipulation of the login page display. The issue is fixed in version 7. 1. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ChurchCRM, an open-source church management system, had a reflected XSS vulnerability (CVE-2026-39344) in versions before 7.1.0. The vulnerability is due to improper neutralization of script-related HTML tags (CWE-80) and improper input sanitization (CWE-79) on the login page's username parameter. This parameter is directly reflected in the HTML input element without filtering, enabling attackers to inject and execute arbitrary JavaScript in the context of the user's browser session. The vulnerability has a CVSS 3.0 score of 8.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts confidentiality and integrity but not availability. The vulnerability is resolved in ChurchCRM version 7.1.0.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when visiting the login page with a crafted URL. This can lead to theft of sensitive information such as session cookies and manipulation of the login interface, potentially facilitating further attacks or credential theft. The vulnerability affects confidentiality and integrity but does not impact availability.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.1.0. Users and administrators should upgrade to version 7.1.0 or later to remediate this issue. Since this is not a cloud service, patching the affected software is required. Patch status is confirmed by the vendor advisory stating the fix is included in version 7.1.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T20:28:38.394Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d549eeaaed68159a473968
Added to database: 4/7/2026, 6:16:14 PM
Last enriched: 4/15/2026, 12:38:09 PM
Last updated: 5/24/2026, 10:35:54 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.