What is the CVSS score of EUVD-2026-19849?

EUVD-2026-19849 has a CVSS 3.0 base score of 8.1 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Churchcrm are affected by EUVD-2026-19849?

ChurchCRM versions prior to 7.1.0 contain a reflected cross-site scripting vulnerability in the login page that allows unauthenticated attackers to execute malicious scripts in user browsers via…. A patch is available.

How to fix or mitigate EUVD-2026-19849?

Within 24 hours: Inventory all ChurchCRM deployments and document current versions. Within 7 days: Upgrade all ChurchCRM instances to version 7.1.0 or later per vendor advisory. Within 30 days: Conduct security awareness training for staff on recognizing suspicious login URLs and verify no unauthorized access occurred during the remediation window.

Churchcrm EUVD-2026-19849

| CVE-2026-39344 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-04-07 security-advisories@github.com

XSS Information Disclosure Churchcrm

8.1

CVSS 3.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:02 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

7.1.0

EUVD ID Assigned

Apr 07, 2026 - 18:22 euvd

EUVD-2026-19849

Analysis Generated

Apr 07, 2026 - 18:22 vuln.today

CVE Published

Apr 07, 2026 - 18:16 nvd

HIGH 8.1

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.

AnalysisAI

Reflected Cross-Site Scripting (XSS) in ChurchCRM login page allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious URLs containing unsanitized username parameters. ChurchCRM versions prior to 7.1.0 fail to encode the username parameter, enabling attackers to craft URLs that inject malicious scripts capable of stealing session cookies or displaying phishing forms. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URL with XSS payload in username parameter

Delivery

Send link to ChurchCRM user

Exploit

Browser renders unsanitized username in login page

Execution

Execute attacker JavaScript in user context

Impact

Steal session cookies or capture credentials