CVE-2026-35576 | THREATINT

Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.

PUBLISHED Reserved 2026-04-03 | Published 2026-04-07 | Updated 2026-04-09 | Assigner GitHub_M

HIGH: 8.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 7.0.0

affected

References

github.com/...RM/CRM/security/advisories/GHSA-8r36-fvxj-26qv

github.com/ChurchCRM/CRM/pull/8016

cve.org (CVE-2026-35576)

nvd.nist.gov (CVE-2026-35576)

Download JSON