CVE-2026-39328
Published: 07 April 2026
Summary
CVE-2026-39328 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user inputs to profile fields, directly preventing injection of malicious JavaScript payloads into Facebook, LinkedIn, and X fields.
SI-15 mandates filtering of information outputs when rendering profiles, preventing execution of chained onfocus event handlers that exfiltrate session cookies.
SI-2 ensures identification, testing, and timely remediation of flaws like the lack of sanitization in profile editing, as fixed in ChurchCRM 7.1.0.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection of JS that executes in victim's browser to exfiltrate session cookies, directly facilitating browser session hijacking and theft/use of web session cookies for account access.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile…
more
fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user, including administrators, views the attacker's profile, their session cookies are exfiltrated to a remote server. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39328 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The flaw resides in the person profile editing functionality, where the Facebook, LinkedIn, and X (formerly Twitter) profile fields fail to properly sanitize user input, allowing injection of malicious JavaScript. Due to a 50-character limit per field, attackers distribute the payload across these three fields and chain their onfocus event handlers to execute sequentially. The vulnerability carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L).
Non-administrative users with the EditSelf permission can exploit this vulnerability by injecting the crafted payload into their own profile fields. When any user, including administrators, views the attacker's profile page, the JavaScript executes in the viewer's browser context, exfiltrating session cookies to a remote server controlled by the attacker. This enables session hijacking, potentially granting unauthorized access to the victim's account with the same privileges, such as administrative capabilities if targeting an admin.
The GitHub Security Advisory (GHSA-fcp5-pwvj-v7xm) confirms the issue and states that it is fixed in ChurchCRM version 7.1.0, recommending that users upgrade to this patched release to mitigate the vulnerability. No workarounds are detailed in the provided information.
Details
- CWE(s)