{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39332", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.393Z", "datePublished": "2026-04-07T17:37:23.574Z", "dateUpdated": "2026-04-08T14:41:01.071Z"}, "containers": {"cna": {"title": "ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:37:23.574Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0."}], "source": {"advisory": "GHSA-hc6g-h48v-wqvq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:40:51.648714Z", "id": "CVE-2026-39332", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:41:01.071Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39332", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:40:51.648714Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:40:56.523Z"}}], "cna": {"title": "ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php", "source": {"advisory": "GHSA-hc6g-h48v-wqvq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:37:23.574Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39332", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:41:01.071Z", "dateReserved": "2026-04-06T20:28:38.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:37:23.574Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF846F61-0C1E-49AB-B691-A01937A6C24D", "versionEndExcluding": "7.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0."}], "id": "CVE-2026-39332", "lastModified": "2026-04-10T20:58:07.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:44.717", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.1.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T23:08:33.022048+00:00", "value": {"mitigation_remediation": ["Apply the official ChurchCRM update to version 7.1.0 or newer", "Verify that GeoPage.php no longer accepts malicious input after the update", "If an immediate update is not feasible, restrict access to GeoPage.php so that only administrators can submit forms to eliminate the injection opportunity"], "summary": {"action": "Immediate patch", "impact": "Session hijacking and account takeover"}, "threat_synthesis": {"affected_systems": "The vulnerable product is ChurchCRM:CRM. All installations running any version earlier than 7.1.0 are susceptible; versions 7.1.0 and newer contain the fix.", "description_and_impact": "ChurchCRM\u2019s GeoPage.php has a reflected cross\u2011site scripting flaw that allows an authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. The injected code automatically executes via autofocus without user interaction, enabling the attacker to steal session cookies and assume control of the victim\u2019s account, including administrative privileges.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low historical exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Two conditions are required for exploitation: the attacker must be authenticated and submit a crafted form; once done, the payload auto\u2011executes. The likely attack vector is authenticated web requests directed at GeoPage.php. Prompt remediation is recommended to prevent account takeover."}}}}, "created": "2026-04-08T19:47:05.814196+00:00", "updated": "2026-04-13T14:26:34.228984+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}