Primary

Context

ChurchCRM Reflected Cross-Site Scripting Vulnerability in Login Page

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 7.1.0. The issue arises on the login page, where the username parameter received from the URL is not properly sanitized or encoded. This lack of filtering allows attackers to inject malicious JavaScript, which can be executed on the client side. Successful exploitation could lead to the theft of sensitive information such as session cookies or manipulation of the page to display the attacker's login form.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the login page and append a crafted username parameter to the URL. The injected script will be executed as soon as the page loads.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later to address this vulnerability.

Added: Apr 7, 2026, 8:08 PM

Updated: Apr 7, 2026, 8:08 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.3

exploitability

7.5

remediation

7.7

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.3

exploitability

7.5

remediation

7.7

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ChurchCRM Reflected Cross-Site Scripting Vulnerability in Login Page

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ChurchCRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating