CVE-2026-35534
Published: 07 April 2026
Summary
CVE-2026-35534 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 requires filtering of information prior to output to web pages to prevent cross-site scripting, directly addressing the improper output sanitization in HTML attributes that enables this stored XSS.
SI-10 enforces validation of user inputs before acceptance and storage, mitigating the storage of malicious payloads in fields like the Facebook field by authenticated users.
SI-2 mandates timely flaw remediation, including patching the specific sanitizeText() vulnerability fixed in ChurchCRM 7.1.0 to eliminate the XSS risk.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS allows injection of arbitrary JavaScript event handlers that execute in the victim's browser on profile view, directly enabling browser session hijacking for account takeover and JavaScript execution.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does…
more
not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.
Deeper analysisAI
CVE-2026-35534 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM, an open-source church management system. The issue affects versions prior to 7.1.0 and resides in the PersonView.php file, where the sanitizeText() function is improperly used as an output sanitizer in an HTML attribute context. This function only strips HTML tags without escaping quote characters, enabling attackers to break out of an href attribute and inject arbitrary JavaScript event handlers, such as onload handlers, into the person's Facebook field.
An authenticated user with the EditRecords role can exploit this vulnerability by storing a malicious payload in a person's Facebook field. The payload executes when any user, including administrators, views the affected person's profile page, as it requires user interaction to trigger. Successful exploitation allows session hijacking and full account takeover due to the high confidentiality impact and changed scope, consistent with the CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). The flaw maps to CWE-79 (XSS), CWE-87 (code injection), and CWE-116 (improper encoding).
The GitHub Security Advisory (GHSA-pqp6-54p2-m66f) confirms the vulnerability is fixed in ChurchCRM version 7.1.0, recommending immediate upgrades for all prior versions to mitigate the risk.
Details
- CWE(s)