Home / Vulnerability Intelligence / CVE-2026-39328

CVE-2026-39328 - Vulnerability Analysis

HighCVSS: 8.9

Last Updated: April 8, 2026

ChurchCRM - Stored XSS

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains a stored cross-site scripting caused by improper sanitization in person profile editing fields, letting non-administrative users with EditSelf permission execute JavaScript to steal session cookies, exploit requires user profile viewing.

Severity & Score

Severity: High

CVSS Score: 8.9

EPSS Score: 4.0%(Probability of exploitation in next 30 days)

Impact

Attackers can steal session cookies of users viewing the malicious profile, leading to account takeover.

Mitigation

Update to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcp5-pwvj-v7xm

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🟠 CVE-2026-39328 - High (8.9) ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject mali... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39328/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39328
Severity: High
CVSS Score: 8.9
Type: stored_xss
Status: unconfirmed
EPSS: 4.0%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

EPSS Score

4.0%Probability of exploitation in the next 30 days