CVE-2026-36748
Cross-Site Scripting in RockRMS via Social Media Links
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spark_development_network | rock_rms | to 17.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-36748 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-36748 is a high-severity Cross Site Scripting (XSS) vulnerability in Rock RMS, an open-source church and non-profit management platform.
The vulnerability occurs via the Social Media Links feature in the user profile, where insufficient input sanitization allows an attacker to inject malicious JavaScript code.
When an administrator views the malicious user's profile page, the injected script executes, enabling the attacker to escalate their privileges to administrator level.
This exploit requires the Social Media Links feature to be enabled and can be triggered by social engineering or by waiting for an admin to review new accounts.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing a standard user to escalate their privileges to administrator level.
An attacker who successfully exploits this flaw can gain full administrative access to the Rock RMS system, potentially compromising sensitive data and system integrity.
Since the vulnerability involves executing malicious scripts when an admin views a profile, it can be triggered through social engineering or by simply having an admin review user profiles.
No official patch is available at the time of disclosure, so mitigation involves disabling the Social Media Links feature in the admin settings.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the Social Media Links fields of user profiles in Rock RMS.
Since the vulnerability involves Cross Site Scripting (XSS) via user profile social media links, detection involves reviewing user profile data for suspicious or unexpected script tags or JavaScript code.
There are no specific commands provided in the available resources, but general approaches include:
- Query the database or export user profile social media link fields and search for script tags or suspicious JavaScript code.
- Use web application scanning tools that detect XSS vulnerabilities by testing input fields, especially the Social Media Links feature.
- Monitor web server logs for unusual requests or payloads targeting user profile pages.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to disable the Social Media Links feature in the Rock RMS admin settings.
Since there is no official patch available at the time of disclosure, disabling this feature prevents attackers from injecting malicious scripts via social media links.
Additionally, administrators should be cautious when viewing user profiles, especially new accounts, to avoid triggering the exploit.