Cyber Resilience

CVE-2026-39333

High

Published: 07 April 2026

Published
07 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0022 11.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39333 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39333 is a reflected cross-site scripting (XSS) vulnerability (CWE-79) in ChurchCRM, an open-source church management system. In versions prior to 7.1.0, the FindFundRaiser.php endpoint improperly reflects user-supplied input from the DateStart and DateEnd parameters into HTML input field attributes without adequate output encoding for the HTML attribute context. This flaw allows injection of malicious payloads into dynamically generated web pages.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) by crafting a malicious URL. The URL requires user interaction (UI:R) from another authenticated user who visits it, leading to execution of arbitrary JavaScript in the victim's browser context. Successful exploitation changes the scope (S:C) and results in high confidentiality (C:H) and integrity (I:H) impacts, with no availability disruption (A:N), as scored at CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

The vulnerability is addressed in ChurchCRM version 7.1.0, which includes a fix for proper output encoding. Additional details are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5. Security practitioners should upgrade to 7.1.0 or later and review access controls for the affected endpoint.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious…

more

URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Reflected XSS vulnerability in web application directly enables arbitrary JavaScript execution in victim's browser (T1059.007) and exploitation of the web app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35574Same product: Churchcrm Churchcrm
CVE-2026-35576Same product: Churchcrm Churchcrm
CVE-2026-39332Same product: Churchcrm Churchcrm
CVE-2026-39328Same product: Churchcrm Churchcrm
CVE-2026-35575Same product: Churchcrm Churchcrm
CVE-2026-35534Same product: Churchcrm Churchcrm
CVE-2026-39334Same product: Churchcrm Churchcrm
CVE-2025-11529Same product: Churchcrm Churchcrm
CVE-2026-39330Same product: Churchcrm Churchcrm
CVE-2026-39341Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 7.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 directly mandates filtering and encoding of output to web pages, preventing reflected XSS by ensuring user-supplied inputs like DateStart and DateEnd are properly encoded in HTML attribute contexts.

prevent

SI-2 requires timely flaw remediation, directly addressing this XSS vulnerability through patching to ChurchCRM 7.1.0 or later which implements proper output encoding.

prevent

SI-10 enforces input validation for parameters like DateStart and DateEnd, partially mitigating XSS by rejecting or sanitizing malicious payloads before reflection.

References