Is PHP affected by CVE-2026-39332?

ChurchCRM versions prior to 7.1.0 contain a reflected cross-site scripting (XSS) vulnerability in GeoPage.php that allows authenticated attackers to hijack administrator sessions and assume full administrative control through social engineering.

CVE-2026-39332

EUVD-2026-19827 HIGH

2026-04-07 GitHub_M

8.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19827

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

CVE Published

Apr 07, 2026 - 17:37 nvd

HIGH 8.7

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.

Analysis

Reflected XSS in ChurchCRM GeoPage.php enables authenticated attackers to execute arbitrary JavaScript in victims' browsers and hijack administrator sessions without user interaction. The vulnerability affects all versions prior to 7.1.0 and leverages autofocus to automatically trigger malicious payloads when authenticated users are socially engineered into submitting a crafted form. …

Remediation

Within 24 hours: Inventory all ChurchCRM deployments and document current versions; notify administrators of the social engineering risk and restrict suspicious external links. Within 7 days: Upgrade to ChurchCRM version 7.1.0 or later if available; if unavailable, implement input validation and output encoding patches per vendor advisory, and consider disabling GeoPage.php functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-39332 vulnerability details – vuln.today

Back

CVE-2026-39332

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39332

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code