Platform
php
Component
churchcrm
Fixed in
7.0.1
A stored cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system. This flaw, present in versions prior to 7.0.0, allows authenticated users to inject malicious JavaScript code through dynamically assigned person properties. Exploitation can lead to session hijacking or complete account compromise, impacting the confidentiality and integrity of church data.
The vulnerability resides within the Person Property Management subsystem of ChurchCRM. An attacker, once authenticated, can craft a malicious payload and inject it into a person's profile properties. This payload is then persistently stored and executed whenever other users view the affected profile or access its printable view. This persistent nature significantly amplifies the risk, as the attack isn't a one-time event but affects all subsequent views of the compromised profile. Successful exploitation could allow an attacker to steal session cookies, impersonate users, modify data, or even gain full control of affected accounts, potentially disrupting church operations and exposing sensitive member information.
This vulnerability was publicly disclosed on 2026-04-07. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential impact suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability persists even in versions patched for CVE-2023-38766, highlighting the importance of thorough testing after applying security updates.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35576 is to upgrade ChurchCRM to version 7.0.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Person Property Management subsystem. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize user-generated content to identify and remove any potentially malicious scripts.
Actualice a la versión 7.0.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la forma en que se manejan las propiedades de la persona, evitando la inyección de código JavaScript malicioso en las vistas de perfil y en la impresión.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35576 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 6.99.9, allowing authenticated users to inject malicious JavaScript code.
You are affected if you are using ChurchCRM versions 0.0.0 through 6.99.9 and have not upgraded to version 7.0.0.
Upgrade ChurchCRM to version 7.0.0 or later. Implement input validation and output encoding as an interim measure.
While no public exploit is currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the ChurchCRM website and security advisories for the latest information and official guidance regarding CVE-2026-35576.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.