CVE-2026-39333
Published: 07 April 2026
Summary
CVE-2026-39333 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly mandates filtering and encoding of output to web pages, preventing reflected XSS by ensuring user-supplied inputs like DateStart and DateEnd are properly encoded in HTML attribute contexts.
SI-2 requires timely flaw remediation, directly addressing this XSS vulnerability through patching to ChurchCRM 7.1.0 or later which implements proper output encoding.
SI-10 enforces input validation for parameters like DateStart and DateEnd, partially mitigating XSS by rejecting or sanitizing malicious payloads before reflection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS vulnerability in web application directly enables arbitrary JavaScript execution in victim's browser (T1059.007) and exploitation of the web app (T1190).
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious…
more
URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-39333 is a reflected cross-site scripting (XSS) vulnerability (CWE-79) in ChurchCRM, an open-source church management system. In versions prior to 7.1.0, the FindFundRaiser.php endpoint improperly reflects user-supplied input from the DateStart and DateEnd parameters into HTML input field attributes without adequate output encoding for the HTML attribute context. This flaw allows injection of malicious payloads into dynamically generated web pages.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) by crafting a malicious URL. The URL requires user interaction (UI:R) from another authenticated user who visits it, leading to execution of arbitrary JavaScript in the victim's browser context. Successful exploitation changes the scope (S:C) and results in high confidentiality (C:H) and integrity (I:H) impacts, with no availability disruption (A:N), as scored at CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
The vulnerability is addressed in ChurchCRM version 7.1.0, which includes a fix for proper output encoding. Additional details are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5. Security practitioners should upgrade to 7.1.0 or later and review access controls for the affected endpoint.
Details
- CWE(s)