{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35576", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T17:11:24.846Z", "dateUpdated": "2026-04-09T15:46:32.060Z"}, "containers": {"cna": {"title": "ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv"}, {"name": "https://github.com/ChurchCRM/CRM/pull/8016", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/pull/8016"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:11:24.846Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0."}], "source": {"advisory": "GHSA-8r36-fvxj-26qv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:45:04.991207Z", "id": "CVE-2026-35576", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:46:32.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35576", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T15:45:04.991207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:46:03.190Z"}}], "cna": {"title": "ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php", "source": {"advisory": "GHSA-8r36-fvxj-26qv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.0.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/8016", "name": "https://github.com/ChurchCRM/CRM/pull/8016", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:11:24.846Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35576", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:46:32.060Z", "dateReserved": "2026-04-03T20:09:02.827Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:11:24.846Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0."}], "id": "CVE-2026-35576", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:42.273", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/pull/8016"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-07T22:03:35.932018+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.0.0 or later", "If an upgrade is not immediately feasible, restrict editing of person properties to trusted users and sanitize any input to strip or escape JavaScript content", "Limit access to the printable view feature to users with a legitimate need", "Monitor logs for unusual property changes or repeated injection attempts"], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "ChurchCRM versions before 7.0.0 carry this defect. The issue also exists in releases that applied the CVE\u20112023\u201138766 patch but did not address this flaw. The fix is deployed in 7.0.0, so any installation running an earlier branch of the 7.x series is affected. The system is an open\u2011source church management application used by churches worldwide.", "description_and_impact": "The vulnerability allows an authenticated user to store malicious JavaScript in a person property. When other users view that person\u2019s profile or access the printable view, the script runs in their browser. This stored XSS can lead to session hijacking or full account compromise. The weakness maps to CWE\u201179.", "risk_and_exploitability": "With a CVSS score of 8.7, the flaw is considered high severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated to inject the payload, but once stored, the malicious code executes automatically for any user who views the property or printable view. Consequently, once an attacker gains access, they can compromise other users without further action. The risk persists until the application is updated to 7.0.0 or higher."}}}}, "created": "2026-04-08T19:47:24.699987+00:00", "updated": "2026-04-09T08:24:01.960702+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}