CVE-2026-35576
Stored XSS in ChurchCRM Person Property Allows Account Compromise
Publication date: 2026-04-07
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35576 is a stored cross-site scripting (XSS) vulnerability in the Person Property Management subsystem of ChurchCRM, an open-source church management system. It allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person property values using the "Assign a New Property" feature.
The malicious JavaScript payload is persistently stored in the database and executed whenever other users view the affected person profile or its printable view. This execution happens because the application did not properly sanitize or escape these dynamic inputs before rendering them.
This vulnerability is distinct from a previous CVE (CVE-2023-38766) because it affects a different part of the system and was not fixed by earlier patches. The issue was fixed in version 7.0.0 by properly escaping all dynamic outputs related to property assignments and changing unsafe JavaScript rendering methods.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts including session hijacking, privilege escalation, unauthorized actions, and full account compromise.
Because the injected JavaScript executes in the browsers of users who view the compromised person profile or printable view, attackers can steal session cookies or perform actions on behalf of the victim user.
If privileged users are targeted, the attacker could gain elevated access or control over the system, leading to significant confidentiality and integrity losses.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected via the "Assign a New Property" value field in the Person Property Management subsystem of ChurchCRM. Since the payload is stored and executed when viewing person profiles or printable views, monitoring these inputs for suspicious scripts is key.
A proof of concept payload such as `"><img src=x onerror=alert('xss-testS')>` can be used to test if the system is vulnerable by assigning it as a new property value and then viewing the affected profile or printable view to see if the alert executes.
To detect the vulnerability on your system, you can:
- Review database entries in the person properties table for suspicious JavaScript or HTML tags.
- Use web application scanning tools that detect stored XSS vulnerabilities by submitting payloads in the property assignment fields.
- Manually test by assigning a crafted payload to a person property and then viewing the profile or printable view to observe if the payload executes.
Specific commands depend on your environment, but example commands to search for suspicious payloads in the database might include:
- For MySQL: `SELECT * FROM person_properties WHERE property_value LIKE '%<script>%' OR property_value LIKE '%onerror=%';`
- For PostgreSQL: `SELECT * FROM person_properties WHERE property_value ILIKE '%<script>%' OR property_value ILIKE '%onerror=%';`
Additionally, monitoring HTTP traffic for suspicious payloads submitted to endpoints like PropertyAssign.php or observing JavaScript execution in the browser console when viewing person profiles can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade ChurchCRM to version 7.0.0 or later, where this stored XSS vulnerability in the Person Property Management subsystem has been fixed.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Restrict authenticated user privileges to prevent untrusted users from assigning new properties.
- Manually sanitize or review person property values in the database to remove any suspicious or malicious JavaScript code.
- Disable or restrict access to the "Assign a New Property" functionality until the patch can be applied.
- Monitor user activity and logs for unusual property assignments or profile views that could indicate exploitation attempts.
Applying the official patch or upgrade ensures proper escaping and sanitization of dynamic outputs related to property assignments, preventing stored and DOM-based XSS attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user to inject arbitrary JavaScript code that can lead to session hijacking, privilege escalation, unauthorized actions, and full account compromise. Such security breaches can result in unauthorized access to sensitive personal data managed by ChurchCRM.
Because ChurchCRM is a church management system that likely handles personal and possibly sensitive information, exploitation of this vulnerability could lead to violations of data protection regulations such as GDPR or HIPAA by exposing or compromising personal data confidentiality and integrity.
Therefore, failure to patch this vulnerability may result in non-compliance with these common standards and regulations due to inadequate protection against cross-site scripting attacks and insufficient safeguarding of user data.