Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0.
AnalysisAI
Reflected cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 allows authenticated attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs targeting the FindFundRaiser.php endpoint. The vulnerability stems from improper output encoding of DateStart and DateEnd parameters in HTML attributes. CVSS 8.7 reflects the changed scope (S:C) enabling potential session hijacking and account compromise across the church management platform. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though exploitation probability remains moderate given the authenticated requirement and user interaction dependency.
Technical ContextAI
ChurchCRM is a PHP-based open-source church management system (CPE: cpe:2.3:a:churchcrm:crm). The vulnerability manifests in FindFundRaiser.php where user-supplied DateStart and DateEnd parameters are reflected into HTML input field attributes without context-appropriate output encoding. This represents CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw occurs specifically in the HTML attribute context, allowing attackers to break out of attribute delimiters and inject malicious JavaScript payloads. Proper defense requires HTML attribute encoding (converting quotes, angle brackets, and JavaScript event handlers) before reflection into DOM attributes. The vulnerability exists in the fundraiser search functionality, a component likely accessed by church administrators and financial management users.
RemediationAI
Vendor-released patch: ChurchCRM version 7.1.0 remediates this vulnerability through proper output encoding implementation for HTML attribute contexts. Organizations should upgrade to ChurchCRM 7.1.0 or later immediately. Consult the official GitHub Security Advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5 for specific upgrade instructions and release notes. As an interim mitigation where immediate patching is not feasible, implement Content Security Policy (CSP) headers to restrict inline script execution and configure web application firewalls (WAF) to detect and block XSS patterns in DateStart and DateEnd parameters. User awareness training should warn authenticated users against clicking untrusted links, particularly those containing fundraiser search parameters. However, these are defense-in-depth measures and do not substitute for upgrading to the patched version.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19829