CVE-2026-32880

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32880

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32880.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32880

Aliases

GHSA-7gq6-xmpx-qc7c

Published

2026-03-20T01:04:08.408Z

Modified

2026-04-10T05:42:30.773884Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L CVSS Calculator

Summary

ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php

Details

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32880.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type

GIT

Repo

https://github.com/churchcrm/crm

Events

Introduced

Fixed

6c17e8242568718eedadd1aed0f848bb31e14c52

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.0.2"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.9

2.10.0

2.10.1

2.10.2

2.10.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.0-RC1

2.8.0-RC2

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.0-RC1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

5.*

5.0.0

5.0.0-beta1

5.0.0-beta2

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.1

5.10.0

5.11.0

5.13.0

5.14.0

5.15.0

5.16.0

5.17.0

5.18.0

5.19.0

5.2.0

5.2.1

5.2.2

5.2.3

5.21.0

5.22.0

5.3.0

5.3.1

5.4.0

5.4.1

5.4.3

5.5.0

5.6.0

5.7.0

5.8.0

5.9.1

5.9.2

5.9.3

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.3.0

6.4.0

6.5.0

6.5.1

6.5.2

6.5.3

6.6.0

6.6.1

6.7.0

6.7.1

6.7.2

6.7.3

6.8.0

6.8.1

7.*

7.0.0

7.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32880.json"