CVE-2026-39336 Overview
ChurchCRM, an open-source church management system, contains a stored cross-site scripting (XSS) vulnerability in versions prior to 7.1.0. The vulnerability affects multiple configuration and form fields, including Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This represents an admin-to-admin stored XSS attack path where writable configuration fields can be abused to inject malicious scripts.
Critical Impact
Attackers with administrative access can inject persistent malicious scripts that execute in the context of other administrators, potentially leading to session hijacking, credential theft, or further compromise of the church management system and its sensitive congregational data.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39336 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39336
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) allows malicious JavaScript code to be persisted in the ChurchCRM database through various configuration interfaces. When other administrators or users access pages that render these stored values, the malicious scripts execute within their browser session. The attack requires high privileges to inject the payload but can affect multiple users who subsequently view the compromised content.
The vulnerability spans multiple entry points within the application: Directory Reports form fields configured through the admin interface, default values in the Person editor that populate address fields, and default settings for the external self-registration form. This multi-vector approach increases the attack surface and potential impact.
Root Cause
The root cause is inadequate input sanitization and output encoding in ChurchCRM's configuration management system. User-supplied data in writable configuration fields is stored in the database without proper validation and subsequently rendered into HTML pages without appropriate encoding or escaping. This allows attackers to inject HTML and JavaScript that persists across sessions and affects multiple users.
Attack Vector
An attacker with administrative privileges can exploit this vulnerability by injecting malicious JavaScript code into configuration fields that are rendered in pages viewed by other users. The network-based attack vector requires user interaction as victims must navigate to pages displaying the compromised content. The stored nature of the XSS means the payload persists until manually removed, allowing repeated exploitation without further attacker action.
The attack flow typically involves:
- An administrator with malicious intent accesses configuration settings
- Malicious JavaScript is injected into vulnerable form fields (Directory Reports, Person editor defaults, or self-registration defaults)
- The payload is stored in the application database
- Other administrators or users access pages rendering these values
- The malicious script executes in the victim's browser context
Detection Methods for CVE-2026-39336
Indicators of Compromise
- Unexpected JavaScript code or HTML tags in ChurchCRM configuration fields
- Unusual <script> tags or event handlers (e.g., onerror, onload) in address fields or form defaults
- Database entries containing encoded JavaScript payloads in configuration tables
- Browser console errors indicating blocked inline script execution (if CSP is enabled)
Detection Strategies
- Monitor ChurchCRM configuration changes for suspicious HTML or JavaScript content
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions
- Review application logs for configuration modifications by users exhibiting suspicious behavior patterns
- Conduct periodic audits of stored configuration values for malicious content
Monitoring Recommendations
- Enable detailed logging for all administrative actions within ChurchCRM
- Configure alerting for configuration field modifications, especially those containing script-like patterns
- Deploy endpoint detection and response (EDR) solutions to identify browser-based attacks originating from compromised ChurchCRM sessions
- Utilize SentinelOne's behavioral AI to detect anomalous activity patterns indicative of XSS exploitation
How to Mitigate CVE-2026-39336
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Audit existing configuration fields for any injected malicious content and remove suspicious entries
- Review administrator accounts for any unauthorized access or suspicious activity
- Implement Content Security Policy (CSP) headers as an additional defense layer
Patch Information
The vulnerability has been addressed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Restrict administrative access to trusted personnel only until the patch can be applied
- Implement strict input validation rules at the web server or WAF level to block common XSS patterns
- Deploy browser-based XSS protection through CSP headers with strict script-src directives
- Regularly review and sanitize configuration field values to detect and remove any injected content
Organizations unable to immediately upgrade should implement these workarounds while prioritizing the deployment of the patched version.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
