Is PHP affected by EUVD-2026-19718?

ChurchCRM versions before 7.1.0 contain a stored cross-site scripting vulnerability that allows authenticated users with EditRecords privileges to inject malicious code through Facebook profile fields, potentially leading to administrator account compromise and unauthorized system access.

EUVD-2026-19718

| CVE-2026-35534 HIGH

2026-04-07 GitHub_M

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 16:00 euvd

EUVD-2026-19718

Analysis Generated

Apr 07, 2026 - 16:00 vuln.today

CVE Published

Apr 07, 2026 - 15:47 nvd

HIGH 7.6

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.

Analysis

Stored cross-site scripting (XSS) in ChurchCRM versions prior to 7.1.0 enables authenticated users with EditRecords role to inject malicious JavaScript through improperly sanitized Facebook profile fields, executing arbitrary code in administrators' browser sessions and enabling account takeover. The vulnerability exploits inadequate output encoding in PersonView.php where sanitizeText() strips HTML tags but fails to escape quote characters in href attribute contexts. …

Remediation

Within 24 hours: Inventory all ChurchCRM deployments and confirm versions in use; restrict EditRecords role assignment to trusted personnel only. Within 7 days: Upgrade ChurchCRM to version 7.1.0 or later if available; if upgrade is blocked, implement input validation rules to reject special characters in Facebook profile fields via Web Application Firewall (WAF) or application-level controls. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

EUVD-2026-19718 vulnerability details – vuln.today

Back

EUVD-2026-19718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-19718

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code