Back to overview

CVE-2026-58411

HIGH
7.0
CVSS 4.0
Description
ChurchCRM is an open-source church management system. Prior to version 7.4.0, Cross-Site Scripting (XSS) vulnerabilities were identified due to insufficient output encoding of user-controlled request parameter names and parameter values. The application reflects attacker-controlled input into JavaScript string contexts and HTML attribute contexts without proper sanitization or contextual output encoding. Affected endpoints observed during testing: /FamilyCustomFieldsEditor.php, /PaddleNumList.php and /admin/system/church-info. Potential consequences include session-token theft, account takeover, unauthorized actions on behalf of authenticated users, exposure of sensitive church member information, credential harvesting, phishing, and privilege escalation when administrators are targeted. This issue has been resolved in version 7.4.0.

Metadata

CVE ID
CVE-2026-58411
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-30 18:19 UTC
Published
2026-07-13 21:05 UTC
Last updated
2026-07-13 21:05 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
ChurchCRM / CRM
Sources
cve.org  ·  NVD

Severity & Metrics

7.0 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products (1)
VendorProductPlatformVersions
ChurchCRM CRM < 7.4.0
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.0 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N
References (1)
Back to overview