Stored Cross-Site Scripting in ChurchCRM's Person Property Management
CVE-2026-35576

8.7HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35576?

ChurchCRM, an open-source church management system, suffers from a stored cross-site scripting (XSS) vulnerability within its Person Property Management subsystem in versions prior to 7.0.0. This flaw allows an authenticated user to inject arbitrary JavaScript code through dynamically assigned person properties. The malicious payload becomes persistently stored and is executed when other users access the affected person profile or its printable view. This can potentially lead to session hijacking or full account compromise. The vulnerability has been addressed in version 7.0.0.

Affected Version(s)

CRM < 7.0.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/ChurchCRM/CRM/pull/8016

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35576 Data

JSON

Churchcrm

What is CVE-2026-35576?

Affected Version(s)

References

CVSS V3.1

Timeline