CVE-2026-35576
Published: 07 April 2026
Summary
CVE-2026-35576 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating and sanitizing inputs to person properties, directly preventing the injection of arbitrary JavaScript code in the Person Property Management subsystem.
SI-15 mandates filtering and encoding information output to web pages, blocking execution of the stored malicious JavaScript when viewing affected person profiles or printable views.
SI-2 ensures timely remediation of the specific stored XSS flaw by applying the patch to version 7.0.0, comprehensively addressing the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution in victim browsers (T1059.007) and directly facilitates session hijacking, data theft, and account compromise (T1185) via persistent payload in user profiles.
NVD Description
ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject…
more
arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.
Deeper analysisAI
CVE-2026-35576 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting ChurchCRM, an open-source church management system, in versions prior to 7.0.0. The flaw resides in the Person Property Management subsystem, where dynamically assigned person properties fail to sanitize input, allowing injection of arbitrary JavaScript code. This issue persists even in versions previously patched for CVE-2023-38766, earning a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
An authenticated user with low privileges can exploit this vulnerability by injecting a malicious payload into a person property, which is then persistently stored in the database. When other users, including administrators, view the affected person's profile or access its printable view, the payload executes in their browsers, potentially enabling session hijacking, theft of sensitive data, or full account compromise due to the cross-origin scope change.
ChurchCRM addresses this vulnerability in version 7.0.0. Security practitioners should upgrade to this release immediately. Relevant advisories and patch details are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv and the fixing pull request at https://github.com/ChurchCRM/CRM/pull/8016.
Details
- CWE(s)