CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.

CVSS v3 6.4 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c	Exploit Mitigation Vendor Advisory
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 02:16

Updated : 2026-03-23 15:29

NVD link : CVE-2026-32880

Mitre link : CVE-2026-32880

CVE.ORG link : CVE-2026-32880

JSON object : View

Products Affected

churchcrm

churchcrm

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-32880", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 0.9}]}, "published": "2026-03-20T02:16:36.067", "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7gq6-xmpx-qc7c", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2."}, {"lang": "es", "value": "ChurchCRM es un sistema de gesti\u00f3n de iglesias de c\u00f3digo abierto. Las versiones anteriores a la 7.0.2 permiten a un usuario administrador editar la configuraci\u00f3n del sistema de tipo JSON para almacenar una carga \u00fatil de JavaScript que puede ejecutarse cuando cualquier administrador ve la configuraci\u00f3n del sistema. La entrada JSON se deja sin escapar/sanear en SystemSettings.PHP, lo que lleva a XSS. Este problema ha sido solucionado en la versi\u00f3n 7.0.2."}], "lastModified": "2026-03-23T15:29:56.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "836ADAC7-F783-494E-8050-B7D4DB6AC05C", "versionEndExcluding": "7.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}