CVE-2026-39338 HIGH

CVE-2026-39338: ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration

Vendor Churchcrm
Product CRM
Weakness CWE-79 · XSS
Published April 7, 2026
Last update April 9, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned — resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.

Key dates

02Disclosure timeline

April 7, 2026 CVE published
April 9, 2026 Record updated

Related vulnerabilities

04Related CVE