CVE-2026-39332 HIGH

CVE-2026-39332: ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php

Vendor Churchcrm

Product CRM

Weakness CWE-79 · XSS

Published April 7, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.

Key dates

Disclosure timeline

April 7, 2026 CVE published

April 8, 2026 Record updated