CVE-2026-39344 Overview
CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability affecting the login page of ChurchCRM, an open-source church management system. The vulnerability exists in versions prior to 7.1.0 and is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without proper filtering, allowing attackers to insert malicious JavaScript scripts into the page context.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, credentials, or hijacking user sessions. Attackers could also replace the legitimate login form with a phishing form to harvest sensitive authentication data.
Affected Products
- ChurchCRM versions prior to 7.1.0
- ChurchCRM church management system installations with exposed login pages
Discovery Timeline
- 2026-04-07 - CVE-2026-39344 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39344
Vulnerability Analysis
This Reflected XSS vulnerability occurs when user-supplied input via the username URL parameter is echoed back into the HTML response without proper output encoding or input validation. When a victim clicks a malicious link containing JavaScript code in the username parameter, the malicious script executes within the context of the ChurchCRM application domain.
The attack exploits the trust relationship between the user's browser and the ChurchCRM application. Since the malicious script executes with the same origin as the legitimate application, it has full access to cookies, session tokens, and can perform actions on behalf of the authenticated user.
Root Cause
The root cause is improper output encoding in the login page template. When rendering the login form, the application inserts the username parameter value directly into an HTML input element's value attribute without escaping HTML special characters or JavaScript-relevant characters. This allows an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript code.
This vulnerability falls under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically the Reflected XSS variant where the malicious payload is delivered via the HTTP request itself.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious URL containing JavaScript code in the username parameter and tricks a victim into clicking the link through phishing emails, social media, or other distribution methods.
Upon visiting the malicious URL, the victim's browser renders the login page with the attacker's JavaScript executing in the page context. This allows the attacker to steal session cookies, capture credentials entered into the form, redirect users to phishing sites, or perform other malicious actions within the victim's browser session.
The attack is particularly effective because the malicious URL points to the legitimate ChurchCRM domain, making it more likely that users will trust and click the link. Additionally, the login page is typically accessible without authentication, increasing the attack surface.
Detection Methods for CVE-2026-39344
Indicators of Compromise
- Suspicious URL parameters containing JavaScript code or HTML tags in the username field
- HTTP request logs showing encoded script tags (%3Cscript%3E) or event handlers (onerror, onload) in URL parameters
- Unusual outbound connections from client browsers to unknown external domains after visiting the login page
- Reports of users being redirected to unfamiliar pages from the ChurchCRM login
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing potential XSS payloads in URL parameters
- Monitor HTTP access logs for URL patterns containing encoded HTML/JavaScript special characters
- Deploy browser-based security monitoring to detect suspicious script execution on the login page
- Utilize endpoint detection and response (EDR) solutions to identify post-exploitation activity from XSS attacks
Monitoring Recommendations
- Enable detailed logging for all HTTP requests to the ChurchCRM login page
- Configure alerting for URL parameters containing suspicious character sequences such as <script>, javascript:, or onerror=
- Monitor for anomalous session activity that may indicate session hijacking following XSS exploitation
- Regularly review Content Security Policy (CSP) violation reports if CSP is implemented
How to Mitigate CVE-2026-39344
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review web server access logs for evidence of exploitation attempts targeting the login page
- Implement a Web Application Firewall (WAF) with XSS protection rules as a temporary measure
- Consider restricting access to the ChurchCRM login page to trusted networks if possible
Patch Information
The vulnerability is fixed in ChurchCRM version 7.1.0. Administrators should upgrade to this version or later to remediate the vulnerability. For additional details, refer to the GitHub Security Advisory GHSA-rx8c-j7x8-w3hj.
Workarounds
- Deploy a reverse proxy or WAF configured to sanitize or block requests containing script tags or JavaScript event handlers in URL parameters
- Implement Content Security Policy (CSP) headers to restrict inline script execution and mitigate XSS impact
- Use browser extensions or security proxies on client systems to detect and block XSS attempts
- Educate users about the risks of clicking links to the ChurchCRM login page from untrusted sources
# Example WAF rule to block potential XSS in URL parameters (ModSecurity)
SecRule ARGS "@rx <script|javascript:|onerror=|onload=" \
"id:100001,phase:1,deny,status:403,msg:'Potential XSS attack detected'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
