CVE-2026-24855

Severity CVSS v4.0:

HIGH

Type:

CWE-79 Cross-Site Scripting (XSS)

Publication date:

30/01/2026

Last modified:

30/01/2026

Description

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P CVSS v4.0 Severity and Metrics:

Base Score: 7.20 HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): Passsive
Confidentiality (VC): None
Integrity (VI): High
Availability (VA): None
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High
Exploit Maturity (E): POC

Base Score 4.0

7.20

Severity 4.0

HIGH

CVE-2026-24855

Description

Impact

References to Advisories, Solutions, and Tools