{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32880", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-03-20T01:04:08.408Z", "dateUpdated": "2026-03-20T14:41:30.274Z"}, "containers": {"cna": {"title": "ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:04:08.408Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2."}], "source": {"advisory": "GHSA-7gq6-xmpx-qc7c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:41:26.787045Z", "id": "CVE-2026-32880", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:41:30.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32880", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:41:26.787045Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:41:06.418Z"}}], "cna": {"title": "ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php", "source": {"advisory": "GHSA-7gq6-xmpx-qc7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.0.2"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:04:08.408Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32880", "state": "PUBLISHED", "dateUpdated": "2026-03-20T14:41:30.274Z", "dateReserved": "2026-03-16T21:03:44.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:04:08.408Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "836ADAC7-F783-494E-8050-B7D4DB6AC05C", "versionEndExcluding": "7.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2."}], "id": "CVE-2026-32880", "lastModified": "2026-03-23T15:29:56.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:36.067", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.2)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-03-23T16:29:46.282020+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.0.2 or later to apply the fix that properly sanitizes the JSON input.", "If an upgrade is not immediately feasible, restrict access to the system settings page to a minimal set of trusted administrators and monitor for unusual script activity.", "Verify that the JSON handling code has been patched and that no legacy scripts remain."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All ChurchCRM installations running a version earlier than 7.0.2 are affected. The vulnerability was identified in the open\u2011source church management system under the vendor product ChurchCRM:CRM. The issue was resolved in the 7.0.2 release, so any deployment on 7.0.2 or later is not vulnerable.", "description_and_impact": "The vulnerability exists in ChurchCRM\u2019s SystemSettings.php, where JSON input for system settings is accepted without necessary escaping or sanitization. An administrator can embed a malicious JavaScript payload into the JSON, which will be rendered unfiltered when another administrator views the settings. This leads to stored cross\u2011site scripting, permitting an attacker with administrative access to execute arbitrary client\u2011side code in other admins\u2019 browsers, potentially stealing session cookies, logging keystrokes, or defacing the application.", "risk_and_exploitability": "The CVSS base score is 6.4, indicating a moderate severity. The EPSS probability is below 1%, making widespread exploitation unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an account with administrative privileges; once satisfied, the attacker can inject malicious scripts that will execute in the browsers of other administrators who view the affected settings. While remote exploitation from an unauthenticated user is not possible, an insider or compromised admin account could pose significant risk to the integrity and confidentiality of the system."}}}}, "created": "2026-03-20T08:53:40.756126+00:00", "updated": "2026-03-25T14:10:11.037130+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}