SB2026040985 - Multiple vulnerabilities in ChurchCRM

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2025-67876)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser and hijack an administrator session.

The vulnerability exists due to cross-site scripting in the group role name handling in GroupEditor.php, GroupView.php, and PersonView.php when processing and rendering user-supplied group role names. A remote user can inject a persistent JavaScript payload into a group role name to execute arbitrary script in a victim's browser and hijack an administrator session.

User interaction is required when a user views a page that displays the malicious role, such as GroupView.php or PersonView.php.

2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-39335)

The vulnerability allows a remote user to execute arbitrary script in a victim's browser session.

The vulnerability exists due to cross-site scripting in group and family controls when rendering persisted values inside HTML data-* attributes without attribute-safe escaping. A remote privileged user can store a specially crafted value that breaks out of an attribute and injects executable event handlers to execute arbitrary script in a victim's browser session.

User interaction is required to load the affected page or trigger the vulnerable control.

Remediation

Install update from vendor's website.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh
• https://github.com/advisories/GHSA-j9gv-26c7-3qrh
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44j4-jjw2-wcr6