ByteOS Network

NVD Vulnerability Details :

CVE-2026-35576

Analyzed

Source-security-advisories@github.com

Published At-07 Apr, 2026 | 18:16

Updated At-09 Apr, 2026 | 18:46

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise. This vulnerability is fixed in 7.0.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Type: Secondary

Version: 3.1

Base score: 8.7

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CPE Matches

churchcrm>>churchcrm>>Versions before 7.0.0(exclusive)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	security-advisories@github.com

CWE ID: CWE-79

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/ChurchCRM/CRM/pull/8016	security-advisories@github.com	Patch
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv	security-advisories@github.com	Third Party Advisory

Hyperlink: https://github.com/ChurchCRM/CRM/pull/8016

Source: security-advisories@github.com

Resource:

Patch

Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv

Source: security-advisories@github.com

Resource:

Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History