CVE-2026-24855

low-risk

Published 2026-01-30

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Churchcrm

Affected Vendors

Churchcrm

References (3)

Patch https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914

Patch https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28

Exploit https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal