Skip to main content

Crm CVE-2026-35576

| EUVDEUVD-2026-19774 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:04 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.0
EUVD ID Assigned
Apr 07, 2026 - 18:00 euvd
EUVD-2026-19774
Analysis Generated
Apr 07, 2026 - 18:00 vuln.today
CVE Published
Apr 07, 2026 - 17:11 nvd
HIGH 8.7

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.

AnalysisAI

Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.

Technical ContextAI

This is a persistent XSS vulnerability (CWE-79) affecting the ChurchCRM open-source church management platform (cpe:2.3:a:churchcrm:crm). The flaw resides in the Person Property Management subsystem, which allows dynamic assignment of custom properties to person records. Insufficient input validation and output encoding on user-supplied property values enables injection of arbitrary JavaScript that is stored in the database and rendered without sanitization when profiles are accessed. The vulnerability demonstrates a regression or incomplete fix from CVE-2023-38766, indicating the previous patch did not adequately address all XSS attack vectors within the property management functionality. The cross-site scripting scope (S:C in CVSS vector) indicates the injected code executes in victims' browser contexts with different privileges than the attacker.

RemediationAI

Upgrade to ChurchCRM version 7.0.0 or later, which contains comprehensive fixes for the Person Property Management XSS vulnerability via pull request #8016 (https://github.com/ChurchCRM/CRM/pull/8016). Organizations unable to immediately upgrade should implement defense-in-depth controls including restricting person property modification permissions to highly trusted administrators only, deploying Content Security Policy headers to mitigate JavaScript execution, and conducting audit reviews of existing person properties for suspicious content. Review access logs for accounts that recently modified person properties and consider rotating session tokens for users who may have viewed affected profiles. Complete vendor advisory and upgrade guidance available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv.

More in Crm

View all
CVE-2017-5965 MEDIUM POC
6.7 May 23

The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP c

CVE-2019-15950 MEDIUM POC
6.1 Sep 16

The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulner

CVE-2026-42288 CRITICAL
10.0 May 12

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-

CVE-2026-58409 CRITICAL
9.1 Jul 13

Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by i

CVE-2017-5966 MEDIUM POC
4.9 May 23

Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path trav

CVE-2026-39328 HIGH
8.9 Apr 07

ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrat

CVE-2026-35566 HIGH
8.8 Apr 07

SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary S

CVE-2026-39331 HIGH
8.1 Apr 07

Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrar

CVE-2026-35575 HIGH
8.0 Apr 07

Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover throu

CVE-2026-58410 HIGH
7.1 Jul 13

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access rea

CVE-2026-35572 HIGH
7.0 Apr 07

Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound

CVE-2026-58411 HIGH
7.0 Jul 13

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized req

Share

CVE-2026-35576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy