Main Vulnerability Database Vulnerabilities #VU125693

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2026-35576

Published: April 9, 2026

Vulnerability identifier: #VU125693

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35576

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users.

The vulnerability exists due to cross-site scripting in the Person Property Management subsystem when processing dynamically assigned property values. A remote user can submit a specially crafted property value to execute arbitrary JavaScript in the context of other users.

User interaction is required when another user views the affected person profile or accesses the printable view.

How to mitigate CVE-2026-35576

Install security update from vendor's website.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2026-35576

Detailed vulnerability description

How to mitigate CVE-2026-35576

Sources

Please verify you're human