CVE-2026-35576HIGH 8.7EPSS p17.2%

CVE-2026-35576CVE-2026-35576

Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS0.26% probability of exploitation · percentile 17.2% · 2026-06-19T12:03:05Z
Published2026-04-07
Last modified2026-04-09

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/ChurchCRM/CRM/pull/8016
  2. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35574
CVE
CVE-2026-35575
CVE
CVE-2026-39344
CVE
CVE-2026-39328
CVE
CVE-2026-39332
CVE
CVE-2026-39318
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.