How to fix CVE-2026-39333?

Within 24 hours: Identify all ChurchCRM instances in your environment and document current versions (target: <7.1.0 are at risk). Within 7 days: Upgrade all ChurchCRM installations to version 7.1.0 or later. Restrict FindFundRaiser.php access to administrators only if upgrade cannot be completed. Within 30 days: Conduct post-upgrade verification testing, review access logs for suspicious FindFundRaiser.php activity, and provide staff security awareness training on phishing and malicious link risks.

Is PHP affected by CVE-2026-39333?

ChurchCRM versions prior to 7.1.0 contain a reflected XSS vulnerability in the FindFundRaiser.php endpoint that allows authenticated users to inject malicious scripts targeting other users, potentially leading to session hijacking and account compromise across the platform.

CVE-2026-39333

Q: Is PHP affected by CVE-2026-39333?

ChurchCRM versions prior to 7.1.0 contain a reflected XSS vulnerability in the FindFundRaiser.php endpoint that allows authenticated users to inject malicious scripts targeting other users, potentially leading to session hijacking and account compromise across the platform.

EUVD-2026-19829 HIGH

2026-04-07 GitHub_M

8.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19829

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

CVE Published

Apr 07, 2026 - 17:38 nvd

HIGH 8.7

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.

Analysis

Reflected cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 allows authenticated attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs targeting the FindFundRaiser.php endpoint. The vulnerability stems from improper output encoding of DateStart and DateEnd parameters in HTML attributes. …

Remediation

Within 24 hours: Identify all ChurchCRM instances in your environment and document current versions (target: <7.1.0 are at risk). Within 7 days: Upgrade all ChurchCRM installations to version 7.1.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-39333 vulnerability details – vuln.today

Back

CVE-2026-39333

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39333

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code