CVE-2026-39335 Overview
ChurchCRM is an open-source church management system used by religious organizations to manage membership, donations, and administrative functions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 7.1.1 affecting the group remove control and family editor state/country fields. This vulnerability allows authenticated administrators to inject malicious scripts that persist in the database and execute when other administrators view the affected pages, creating an admin-to-admin attack vector.
Critical Impact
Authenticated administrators can inject persistent malicious scripts through writable entity fields, potentially compromising other administrator accounts, stealing session tokens, or performing unauthorized actions within the church management system.
Affected Products
- ChurchCRM versions prior to 7.1.1
- ChurchCRM group remove control component
- ChurchCRM family editor state/country fields
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39335 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39335
Vulnerability Analysis
This Stored XSS vulnerability (CWE-79) occurs when user-controlled input in the group remove control and family editor state/country fields is not properly sanitized before being stored in the database and subsequently rendered in the browser. When an administrator enters malicious JavaScript code into these fields, the payload is stored persistently and executes whenever another administrator accesses the affected pages.
The vulnerability requires high privileges to exploit (administrator access), but the impact on confidentiality and integrity is significant because the attacker can hijack other administrator sessions, access sensitive congregation data, or modify records without authorization.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in the group remove control and family editor components. The application fails to sanitize user-supplied input containing HTML or JavaScript before storing it in the database, and does not properly encode this data when rendering it back to users in the browser context.
Attack Vector
The attack requires network access and an authenticated administrator account. The attacker injects malicious JavaScript payloads into vulnerable form fields such as the state or country fields in the family editor, or through the group remove control interface. When another administrator views these records, the stored script executes within their browser session under the context of the ChurchCRM application.
This allows the attacker to steal session cookies, capture keystrokes, redirect users to phishing pages, or perform administrative actions on behalf of the victim. User interaction is required as another administrator must view the page containing the malicious payload.
The vulnerability mechanism involves injecting script tags or event handlers into the writable entity fields. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39335
Indicators of Compromise
- Unexpected script tags or JavaScript event handlers in database records for family state/country fields
- Unusual HTML entities or encoded JavaScript payloads in group configuration data
- Browser console errors indicating blocked inline script execution from Content Security Policy violations
- Session anomalies where administrator accounts access resources from unexpected IP addresses
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in POST requests to family editor and group management endpoints
- Monitor application logs for unusual characters in form submissions including <script>, onerror=, onload=, and similar XSS indicators
- Deploy browser-based monitoring to detect Content Security Policy violations indicating attempted script injection
- Conduct periodic database audits scanning for JavaScript payloads in text fields that should only contain geographic data
Monitoring Recommendations
- Enable detailed logging for all administrative actions within ChurchCRM, particularly modifications to family records and group configurations
- Configure alerts for Content Security Policy violation reports if CSP headers are implemented
- Monitor for unusual administrator session patterns such as concurrent logins from different geographic locations
- Review access logs for the family editor and group management pages for anomalous patterns
How to Mitigate CVE-2026-39335
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.1 or later immediately to remediate this vulnerability
- Review existing family and group records for any suspicious content containing script tags or JavaScript code
- Implement Content Security Policy headers to mitigate the impact of any existing stored XSS payloads
- Rotate administrator session tokens and force re-authentication for all privileged users
Patch Information
This vulnerability is fixed in ChurchCRM version 7.1.1. Organizations should upgrade to this version or later to receive the security patch. The fix implements proper input sanitization and output encoding for the affected group remove control and family editor state/country fields. For more information, see the GitHub Security Advisory.
Workarounds
- Restrict administrative access to trusted personnel only and enforce the principle of least privilege
- Implement Web Application Firewall rules to filter XSS payloads in incoming requests
- Deploy Content Security Policy headers with strict script-src directives to prevent inline script execution
- Conduct regular security audits of database content to identify and remove any malicious payloads
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
