7.2
CVE-2026-24855
- EPSS 0.21%
- Veröffentlicht 30.01.2026 15:08:31
- Zuletzt bearbeitet 17.02.2026 14:32:44
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginChurchCRM has Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar, Leading to Account Takeover
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.109 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 7.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767
https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914
https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28