Which versions of Churchcrm are affected by CVE-2026-39338?

ChurchCRM versions prior to 7.1.0 contain a reflected cross-site scripting vulnerability in the dashboard search function that allows unauthenticated attackers to execute arbitrary JavaScript in…. A patch is available.

How to fix or mitigate CVE-2026-39338?

Within 24 hours: identify all ChurchCRM deployments and document current versions in use. Within 7 days: upgrade all ChurchCRM instances to version 7.1.0 or later; if immediate upgrade is not feasible, restrict dashboard access to authenticated users only and implement Web Application Firewall (WAF) rules to block malicious search parameters. Within 30 days: conduct security awareness training for users on phishing risks, audit access logs for indicators of XSS exploitation, and validate that the patched version is operating correctly in production.

Churchcrm CVE-2026-39338

Q: What is the CVSS score of CVE-2026-39338?

CVE-2026-39338 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-19837 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-07 security-advisories@github.com

XSS RCE Churchcrm

8.6

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:03 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

7.1.0

Re-analysis Queued

Apr 15, 2026 - 20:22 vuln.today

cvss_changed

EUVD ID Assigned

Apr 07, 2026 - 18:22 euvd

EUVD-2026-19837

Analysis Generated

Apr 07, 2026 - 18:22 vuln.today

CVE Published

Apr 07, 2026 - 18:16 nvd

HIGH 8.6

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HTTP 500 error due to the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned - resulting in successful code execution regardless of the server-side error. This vulnerability is fixed in 7.1.0.

AnalysisAI

Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URL with script tag in search parameter

Exploit

Send link to ChurchCRM user

Execution

Browser parses injected script before HTTP 500 error

Impact

Execute arbitrary JavaScript in victim's session