๐Ÿ” CVE Alert

CVE-2026-58411

UNKNOWN 0.0

ChurchCRM has Reflected Cross-Site Scripting (XSS) via unsanitized request parameter names and values

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

ChurchCRM is an open-source church management system. Prior to version 7.4.0, Cross-Site Scripting (XSS) vulnerabilities were identified due to insufficient output encoding of user-controlled request parameter names and parameter values. The application reflects attacker-controlled input into JavaScript string contexts and HTML attribute contexts without proper sanitization or contextual output encoding. Affected endpoints observed during testing: /FamilyCustomFieldsEditor.php, /PaddleNumList.php and /admin/system/church-info. Potential consequences include session-token theft, account takeover, unauthorized actions on behalf of authenticated users, exposure of sensitive church member information, credential harvesting, phishing, and privilege escalation when administrators are targeted. This issue has been resolved in version 7.4.0.

CWE CWE-79
Vendor churchcrm
Product crm
Published Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new unknown vulnerabilities affecting churchcrm crm are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

ChurchCRM / CRM
< 7.4.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p6j6-vrpg-4pp8