Platform
php
Component
churchcrm
Fixed in
7.1.1
A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 0.0.0 through 7.0. This flaw, located in the PersonView.php file, arises from the incorrect use of the sanitizeText() function as an output sanitizer for HTML attribute context. An authenticated user with the EditRecords role can exploit this by injecting malicious JavaScript into a person's Facebook field, which then executes when other users, including administrators, view that person's profile.
Successful exploitation of CVE-2026-35534 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, redirection to phishing sites, and defacement of the ChurchCRM interface. The impact is particularly severe because the vulnerability affects administrators, granting attackers access to sensitive administrative functions and data. The stored nature of the XSS means the payload persists until removed, potentially impacting numerous users over time.
CVE-2026-35534 was publicly disclosed on 2026-04-07. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and ease of exploitation suggest a moderate risk of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is amplified by the fact that it requires only authentication with a specific role, making it accessible to a relatively large number of users.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35534 is to upgrade ChurchCRM to version 7.1.0 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding on all user-supplied data within PersonView.php. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads targeting the Facebook field can provide an additional layer of defense. Regularly review and audit user roles and permissions to limit the number of users with the EditRecords role.
Update ChurchCRM to version 7.1.0 or later to mitigate the XSS vulnerability. This update corrects the issue by properly sanitizing HTML attributes, preventing the injection of malicious JavaScript into the Facebook field.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35534 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing authenticated users to inject malicious JavaScript.
If you are using ChurchCRM version 7.0 or earlier, you are potentially affected by this vulnerability. Upgrade to version 7.1.0 or later to mitigate the risk.
The recommended fix is to upgrade ChurchCRM to version 7.1.0 or later. If an upgrade is not immediately possible, implement input validation and output encoding as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential risk of exploitation.
Refer to the official ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-35534.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.