CVE-2026-39333 Overview
CVE-2026-39333 is a reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM, an open-source church management system. Prior to version 7.1.0, the FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd parameters) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in the browser context of other authenticated ChurchCRM users, potentially leading to session hijacking, data theft, or unauthorized actions within the church management system.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE-2026-39333 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39333
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The vulnerability exists in the FindFundRaiser.php endpoint where user-controlled input from the DateStart and DateEnd parameters is inserted directly into HTML input field attributes without proper contextual output encoding.
When user input is reflected into HTML attribute values, special characters like double quotes, single quotes, and event handler attributes must be properly escaped. The absence of this encoding allows an attacker to break out of the attribute context and inject malicious event handlers or script content.
Root Cause
The root cause of this vulnerability is insufficient output encoding in the FindFundRaiser.php endpoint. The application fails to apply HTML attribute encoding to user-supplied DateStart and DateEnd parameter values before reflecting them into the page's HTML. This lack of contextual encoding enables attackers to inject arbitrary HTML attributes, including JavaScript event handlers.
Attack Vector
The attack requires an authenticated user to craft a malicious URL containing XSS payloads in the DateStart or DateEnd parameters. When another authenticated user clicks on this malicious link, the JavaScript payload executes in their browser session with full access to their authentication context.
A typical exploitation scenario involves an attacker embedding a payload within the date parameter values that breaks out of the input field's value attribute and introduces an onmouseover, onfocus, or similar event handler attribute. When the victim interacts with the page, the injected JavaScript executes with the victim's session privileges.
The attacker could leverage this vulnerability to steal session cookies, perform actions on behalf of the victim user, access sensitive congregation data, or modify church records. Since ChurchCRM manages sensitive information including member details, financial contributions, and personal contact information, successful exploitation could have significant privacy implications.
Detection Methods for CVE-2026-39333
Indicators of Compromise
- Unusual URL patterns containing encoded JavaScript in DateStart or DateEnd parameters to FindFundRaiser.php
- Web server logs showing requests to FindFundRaiser.php with suspicious characters such as <, >, ", or onerror, onload, onclick strings in query parameters
- User reports of unexpected browser behavior or pop-ups when accessing fundraiser-related pages
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS patterns in the DateStart and DateEnd parameters
- Configure intrusion detection systems to alert on requests containing common XSS payloads targeting the FindFundRaiser.php endpoint
- Enable verbose logging on the ChurchCRM application server and monitor for suspicious parameter values
Monitoring Recommendations
- Review web server access logs regularly for requests to FindFundRaiser.php with abnormal parameter lengths or encoded special characters
- Monitor user session activity for signs of unauthorized actions that could indicate session hijacking
- Deploy Content Security Policy (CSP) headers and monitor for CSP violation reports indicating XSS attempts
How to Mitigate CVE-2026-39333
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review web server logs for any evidence of exploitation attempts prior to patching
- Notify users to avoid clicking on suspicious links related to ChurchCRM fundraiser functionality
- Consider implementing additional input validation at the web server or reverse proxy level as a defense-in-depth measure
Patch Information
ChurchCRM has addressed this vulnerability in version 7.1.0. Organizations running affected versions should upgrade to 7.1.0 or later as soon as possible. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- If immediate upgrade is not possible, consider restricting access to the FindFundRaiser.php endpoint through web server configuration or access controls
- Deploy a web application firewall with XSS protection rules to filter malicious input targeting the vulnerable parameters
- Implement Content Security Policy headers to mitigate the impact of any successful XSS exploitation by restricting script execution sources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
