CVE-2025-67876

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67876

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67876.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67876

Aliases

GHSA-j9gv-26c7-3qrh

Published

2025-12-17T21:18:21.484Z

Modified

2026-03-14T12:44:43.792048Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVSS Calculator

Summary

ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking

Details

ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67876.json"
}

References

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type

GIT

Repo

https://github.com/churchcrm/crm

Events

Introduced

Last affected

8d2b9f4d0f438e406ca614d197a581d367145e61

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.4.0"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.9

2.10.0

2.10.1

2.10.2

2.10.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.0-RC1

2.8.0-RC2

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.0-RC1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

5.*

5.0.0

5.0.0-beta1

5.0.0-beta2

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.1

5.10.0

5.11.0

5.12.0

5.13.0

5.14.0

5.15.0

5.16.0

5.17.0

5.18.0

5.19.0

5.2.0

5.2.1

5.2.2

5.2.3

5.21.0

5.22.0

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.6.0

5.7.0

5.8.0

5.9.1

5.9.2

5.9.3

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.3.0

6.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67876.json"