CVE-2026-35576

HIGH EPSS 17.4%
Published Apr 7, 20262mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 3.1
High
Find Similar
Published Apr 7, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.

CVSS Details

Base Score
8.7
Exploitability
2.3
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
17.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
churchcrmchurchcrm* <7.0.0

References 2

  • github.com https://github.com/ChurchCRM/CRM/pull/8016
    Patch
  • github.com https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv
    Third Party Advisory

Remediation

  • github.com https://github.com/ChurchCRM/CRM/pull/8016
    Patch