Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-24855
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-30 Jan, 2026 | 16:16
Updated At-17 Feb, 2026 | 14:32

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.2HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CPE Matches
churchcrm
churchcrm
>>churchcrm>>Versions before 6.7.2(exclusive)
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914security-advisories@github.com
Patch
https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28security-advisories@github.com
Patch
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767security-advisories@github.com
Exploit
Vendor Advisory
Hyperlink: https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Change History
0Changes found
Details not found