EUVD-2026-19772
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.
Analysis
Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ChurchCRM deployments and document current versions. Within 7 days: Upgrade all instances to ChurchCRM version 6.5.3 or later; apply the upgrade in a test environment first to validate compatibility. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today