Home / Vulnerability Intelligence / CVE-2026-39333

CVE-2026-39333 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: April 8, 2026

ChurchCRM - Reflected XSS

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

ChurchCRM < 7.1.0 contains a reflected XSS caused by improper output encoding of DateStart and DateEnd parameters in FindFundRaiser.php, letting authenticated attackers execute arbitrary JavaScript via crafted URLs.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary JavaScript in other users' browsers, potentially stealing session data or performing actions on their behalf.

Mitigation

Update to version 7.1.0 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fqq6-qrcf-h7h5

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🟠 CVE-2026-39333 - High (8.7) ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute contex... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39333/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39333
Severity: High
CVSS Score: 8.7
Type: reflected_xss
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days