{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39335", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.393Z", "datePublished": "2026-04-07T17:23:08.968Z", "dateUpdated": "2026-04-08T18:47:09.445Z"}, "containers": {"cna": {"title": "ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:23:08.968Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "source": {"advisory": "GHSA-44j4-jjw2-wcr6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:47:04.886359Z", "id": "CVE-2026-39335", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:47:09.445Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39335", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:47:04.886359Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:59.234Z"}}], "cna": {"title": "ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls", "source": {"advisory": "GHSA-44j4-jjw2-wcr6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.1"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:23:08.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39335", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:47:09.445Z", "dateReserved": "2026-04-06T20:28:38.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:23:08.968Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "9580E0A3-5D57-4474-9096-B99B88D5BD5C", "versionEndIncluding": "7.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "id": "CVE-2026-39335", "lastModified": "2026-04-09T18:46:14.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:45.307", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.1)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-09T23:09:24.219482+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.1.1 or later", "Verify the current installation version and apply any available security updates", "If an immediate upgrade is not possible, restrict write access to the group and family edit interfaces until the patch is applied"], "summary": {"action": "Patch Now", "impact": "Stored cross\u2011site scripting via unescaped data-* attributes"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of ChurchCRM older than version 7.1.1, specifically the open\u2011source church management system. The flaw is present in the core product and is not limited to a specific deployment environment. Operators of any such installations should verify their version and ensure that the upgrade to 7.1.1 or later has been applied to remove the risk.", "description_and_impact": "ChurchCRM versions earlier than 7.1.1 contain a stored cross\u2011site scripting flaw that arises when unescaped data-* attributes are entered in the group remove control or the family editor state or country fields. The injected payload is persisted in the database and rendered every time the affected page is viewed in a browser, allowing an attacker to run arbitrary JavaScript in that context. This capability can be used for defacement, credential theft or other malicious actions inside the application, representing a classic HTML injection weakness identified as CWE-79.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity level. The EPSS score of less than 1% suggests that exploitation of this flaw is currently unlikely to be widespread, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must first gain administrator\u2011level write access to the group or family edit interfaces to inject malicious data. Once the payload is stored, it will be executed in the browsers of any users who subsequently view the compromised pages, meaning that both privileged and non\u2011privileged users could be. The overall risk is therefore moderate, with the primary threat domain being information disclosure and potential user session compromise rather than complete system takeover."}}}}, "created": "2026-04-08T19:47:17.030019+00:00", "updated": "2026-04-10T09:41:23.196412+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}