Description
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767
Patch x_refsource_misc
https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914
Patch x_refsource_misc
https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28
Scores
CVSS v3
5.4
EPSS
0.0004
EPSS Percentile
12.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
churchcrm/churchcrm
< 6.7.2
Published
Jan 30, 2026
Tracked Since
Feb 18, 2026