Zero Day MonitorZDM

← Back to list

5.4

CVE-2026-26059PATCHED

churchcrm · churchcrm

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would exec

Description

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.

Affected Products

Vendor	Product	Versions
churchcrm	churchcrm	< 6.8.2

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3wp4-vpr7-47q6(Exploit, Vendor Advisory)

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

6.8.2

CWECWE-79

PublishedFeb 19, 2026

Last enriched6d ago

Trending Score0

Source articles0

Independent0

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39330EXP

ChurchCRM has a Blind SQL injection in PropertyAssign.php

CRITICALCVE-2026-39334EXP

ChurchCRM has a Blind SQL injection in SettingsIndividual.php

HIGHCVE-2026-39327EXP

ChurchCRM has a SQL injection in MemberRoleChange.php

HIGHCVE-2026-39341EXP

SQL injection in ChurchCRM.0

HIGHCVE-2026-39323EXP

ChurchCRM has a SQL Injection in PropertyTypeEditor.php with Cross-Page Data Exposure

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Feb 19, 2026

Patch Available

Feb 20, 2026

Discovered by ZDM

Apr 1, 2026