CVE-2026-36748
Deferred Deferred - Pending Action
Cross-Site Scripting in RockRMS via Social Media Links

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: MITRE

Description
RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-36748
EUVD
EUVD-2026-34100
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spark_development_network rock_rms to 17.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-36748 on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate mitigation step is to disable the Social Media Links feature in the Rock RMS admin settings.

Since there is no official patch available at the time of disclosure, disabling this feature prevents attackers from injecting malicious scripts via social media links.

Additionally, administrators should be cautious when viewing user profiles, especially new accounts, to avoid triggering the exploit.

Executive Summary

CVE-2026-36748 is a high-severity Cross Site Scripting (XSS) vulnerability in Rock RMS, an open-source church and non-profit management platform.

The vulnerability occurs via the Social Media Links feature in the user profile, where insufficient input sanitization allows an attacker to inject malicious JavaScript code.

When an administrator views the malicious user's profile page, the injected script executes, enabling the attacker to escalate their privileges to administrator level.

This exploit requires the Social Media Links feature to be enabled and can be triggered by social engineering or by waiting for an admin to review new accounts.

Impact Analysis

This vulnerability can have a significant impact by allowing a standard user to escalate their privileges to administrator level.

An attacker who successfully exploits this flaw can gain full administrative access to the Rock RMS system, potentially compromising sensitive data and system integrity.

Since the vulnerability involves executing malicious scripts when an admin views a profile, it can be triggered through social engineering or by simply having an admin review user profiles.

No official patch is available at the time of disclosure, so mitigation involves disabling the Social Media Links feature in the admin settings.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the Social Media Links fields of user profiles in Rock RMS.

Since the vulnerability involves Cross Site Scripting (XSS) via user profile social media links, detection involves reviewing user profile data for suspicious or unexpected script tags or JavaScript code.

There are no specific commands provided in the available resources, but general approaches include:

  • Query the database or export user profile social media link fields and search for script tags or suspicious JavaScript code.
  • Use web application scanning tools that detect XSS vulnerabilities by testing input fields, especially the Social Media Links feature.
  • Monitor web server logs for unusual requests or payloads targeting user profile pages.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart