Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
ChurchCRM Group View JavaScript Injection
CVE-2026-26059
Summary
An authenticated user with group editing permissions can inject malicious JavaScript code into ChurchCRM, which executes when they view a group. This could potentially allow the attacker to steal sensitive information or take control of the system. Users should update to ChurchCRM version 6.8.2 or later to prevent this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| churchcrm | churchcrm | <= 6.8.2 | – |
Original title
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would e...
Original description
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
nvd CVSS3.1
5.4
nvd CVSS4.0
2.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3wp4-vpr7-47q6 Exploit Vendor Advisory
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026