CVE-2026-39344

HIGH 8.1

Reflected XSS the login page through the 'username' parameter

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

10th

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentially stealing sensitive data such as session cookies or replacing the display to show the attacker's login form. This vulnerability is fixed in 7.1.0.

CWE	CWE-80 CWE-79
Vendor	churchcrm
Product	crm
Published	Apr 7, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new high vulnerabilities affecting churchcrm crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected Versions

ChurchCRM / CRM

< 7.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-rx8c-j7x8-w3hj