Stored Cross-Site Scripting in ChurchCRM Affects User Profile Pages
CVE-2026-35534

7.6HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35534?

ChurchCRM, an open-source church management system, contains a stored cross-site scripting vulnerability in the PersonView.php file. This flaw arises from the inadequate use of the sanitizeText() function, which fails to fully escape quote characters in HTML attributes. As a result, any authenticated user holding the EditRecords role can inject malicious JavaScript into the Facebook field of a person's profile. When other users, including administrators, view the affected profile page, the embedded script executes, potentially allowing attackers to hijack sessions and gain full control over user accounts. This vulnerability is resolved in version 7.1.0.

Affected Version(s)

CRM < 7.1.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35534 Data

JSON

Churchcrm

What is CVE-2026-35534?

Affected Version(s)

References

CVSS V3.1

Timeline