{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39335", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T20:28:38.393Z", "datePublished": "2026-04-07T17:23:08.968Z", "dateUpdated": "2026-04-08T18:47:09.445Z"}, "containers": {"cna": {"title": "ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:23:08.968Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "source": {"advisory": "GHSA-44j4-jjw2-wcr6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:47:04.886359Z", "id": "CVE-2026-39335", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:47:09.445Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39335", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:47:04.886359Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:46:59.234Z"}}], "cna": {"title": "ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls", "source": {"advisory": "GHSA-44j4-jjw2-wcr6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.1.1"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:23:08.968Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39335", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:47:09.445Z", "dateReserved": "2026-04-06T20:28:38.393Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:23:08.968Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1."}], "id": "CVE-2026-39335", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:45.307", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-07T22:02:16.652652+00:00", "value": {"mitigation_remediation": ["Apply ChurchCRM patch to version 7.1.1 or later to remove the unescaped data-* attributes. If the upgrade cannot be performed immediately, sanitize any data-* attribute values in the affected forms or block their use in all administrative interfaces. Ensure that only trusted administrators have access to editing group and family information to reduce the chance of malicious input."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011cripting"}, "threat_synthesis": {"affected_systems": "All non\u2011upgraded installations of ChurchCRM version 7.1.0 or earlier are affected. The problem exists specifically in the group management and family editor features of the system. The issue has been fixed in version 7.1.1 and later.", "description_and_impact": "The vulnerability allows an attacker with administrative privileges to inject arbitrary JavaScript through unescaped data-* attributes in group removal controls and family editor state/country fields. This stored XSS can run in the context of other administrators or users who view the affected page, potentially enabling credential theft, session hijacking, or phishing attacks against those users. The underlying weakness is reflected in the CWE-79 class of input validation errors.", "risk_and_exploitability": "The report assigns a CVSS base score of 6.1, indicating a moderate severity. No exploit probability assessment is available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an administrative action that writes malformed data into the system, which is then rendered later in a user interface without proper escaping. Because the vulnerability requires an attacker to already have admin-level access, the overall risk is limited to organizations that do not enforce strict role separation."}}}}, "created": "2026-04-08T19:47:17.030019+00:00", "updated": "2026-04-08T19:47:17.030051+00:00", "vendors": []}