CVE-2026-39941: ChurchCRM XSS Vulnerability

CVE-2026-39941 Overview

ChurchCRM, an open-source church management system, contains a Cross-Site Scripting (XSS) vulnerability in versions prior to 7.1.0. The vulnerability exists in the EditEventAttendees.php file, where attacker-supplied input sent via the EName and EDesc parameters is rendered in the page without proper output encoding. This enables arbitrary JavaScript execution in victims' browsers, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of the authenticated user.

Critical Impact

Attackers can inject malicious JavaScript through event name and description parameters, enabling session hijacking, credential theft, and unauthorized actions against authenticated ChurchCRM users.

Affected Products

• ChurchCRM versions prior to 7.1.0
• ChurchCRM EditEventAttendees.php component
• Web applications utilizing ChurchCRM for church management

Discovery Timeline

• 2026-04-09 - CVE CVE-2026-39941 published to NVD
• 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-39941

Vulnerability Analysis

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The root issue stems from the EditEventAttendees.php file failing to properly sanitize and encode user-controlled input before rendering it in HTML output.

When a user submits data through the EName (Event Name) and EDesc (Event Description) parameters, the application directly includes this input in the generated HTML response without applying appropriate output encoding. This allows an attacker to craft malicious input containing JavaScript code that will execute in the browser context of any user viewing the affected page.

The vulnerability is network-accessible and requires no authentication to exploit, though successful exploitation depends on user interaction (such as clicking a malicious link or viewing a compromised event entry).

Root Cause

The vulnerability originates from missing output encoding in the PHP template rendering logic. User-supplied values for EName and EDesc parameters are directly interpolated into HTML output without using escaping functions like htmlspecialchars() or the application's InputUtils::escapeAttribute() helper. This allows HTML and JavaScript injection through these form fields.

Attack Vector

The attack leverages the network-accessible web interface of ChurchCRM. An attacker can craft a malicious URL or form submission containing JavaScript payloads in the EName or EDesc parameters. When a victim user (typically an authenticated church administrator or staff member) views the event attendees page with the injected content, the malicious script executes in their browser session.

Example attack scenarios include:

• Stored XSS through persistent event data displayed to multiple users
• Reflected XSS via crafted links sent to targeted administrators
• Session token exfiltration to attacker-controlled servers
• Phishing overlays rendered within the trusted application context

The security patch demonstrates the proper remediation approach by applying XSS escaping to user-controlled values:

             </div>
             <div class="mb-3">
                 <label for="NumNeighbors" class="form-label"><?= gettext('Maximum number of neighbors') ?>:</label>
-                <input type="text" class="form-control" name="NumNeighbors" value="<?= $iNumNeighbors ?>" style="max-width:120px">
+                <input type="text" class="form-control" name="NumNeighbors" value="<?= InputUtils::escapeAttribute((string)$iNumNeighbors) ?>" style="max-width:120px">
             </div>
             <div class="mb-3">
                 <label for="MaxDistance" class="form-label">
                     <?= gettext('Maximum distance') . ' (' . gettext(SystemConfig::getValue('sDistanceUnit')) . '):' ?>
                 </label>
-                <input type="text" class="form-control" name="MaxDistance" value="<?= $nMaxDistance ?>" style="max-width:120px">
+                <input type="text" class="form-control" name="MaxDistance" value="<?= InputUtils::escapeAttribute((string)$nMaxDistance) ?>" style="max-width:120px">
             </div>
             <div class="mb-3">
                 <label class="form-label"><?= gettext('Show neighbors with these classifications') ?>:</label>

Source: GitHub Commit Details

Detection Methods for CVE-2026-39941

Indicators of Compromise

• Unusual JavaScript code fragments in EName or EDesc fields of event records
• HTTP requests to EditEventAttendees.php containing script tags or JavaScript event handlers in parameters
• Anomalous outbound connections from user browsers to external domains after visiting event pages
• Server logs showing encoded or obfuscated JavaScript payloads in GET/POST parameters

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in request parameters
• Monitor application logs for requests containing HTML tags or JavaScript event handlers in the EName and EDesc parameters
• Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
• Use browser security tools to identify unexpected script sources or DOM modifications on ChurchCRM pages

Monitoring Recommendations

• Enable verbose logging for the EditEventAttendees.php endpoint and related event management functions
• Configure alerting for requests containing suspicious character sequences such as <script>, javascript:, or encoded variants
• Review database entries for event records containing potentially malicious HTML or script content
• Monitor for unusual session activity patterns that may indicate successful XSS exploitation

How to Mitigate CVE-2026-39941

Immediate Actions Required

• Upgrade ChurchCRM to version 7.1.0 or later immediately
• Review existing event records for any injected malicious content and sanitize affected entries
• Implement Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks
• Educate administrators about the risks of clicking untrusted links while logged into ChurchCRM

Patch Information

The vulnerability has been addressed in ChurchCRM version 7.1.0. The fix applies proper XSS escaping using the InputUtils::escapeAttribute() function to all user-controlled values rendered in HTML attributes. Organizations should upgrade to this version or later to remediate the vulnerability.

For detailed patch information, refer to the GitHub Commit Details and the GitHub Release Version 7.1.0.

Workarounds

• Deploy a Web Application Firewall (WAF) with XSS protection rules in front of the ChurchCRM application
• Restrict access to ChurchCRM to trusted internal networks until the patch can be applied
• Implement HTTP-only and Secure flags on session cookies to limit the impact of potential session hijacking
• Add Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self'

# Example Apache configuration for CSP headers
<IfModule mod_headers.c>
    Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>