Main Vulnerability Database Vulnerabilities #VU125693

#VU125693 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2026-35576

Published: April 9, 2026

Vulnerability identifier: #VU125693

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35576

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users.

The vulnerability exists due to cross-site scripting in the Person Property Management subsystem when processing dynamically assigned property values. A remote user can submit a specially crafted property value to execute arbitrary JavaScript in the context of other users.

User interaction is required when another user views the affected person profile or accesses the printable view.

Remediation

Install security update from vendor's website.

#VU125693 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM - CVE-2026-35576

Description

Remediation

External links

Please verify you're human