CVE-2026-35534: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM CRM
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.
AI Analysis
Technical Summary
CVE-2026-35534 is a stored XSS vulnerability in ChurchCRM's PersonView.php prior to version 7.1.0. The root cause is improper neutralization of input during web page generation, specifically the misuse of sanitizeText() as an output sanitizer for HTML attribute context. This function strips HTML tags but does not escape quote characters, enabling attackers with EditRecords privileges to inject JavaScript event handlers into the Facebook field of a person's profile. The malicious script executes when the profile page is viewed by any user, including administrators, allowing session hijacking and full account takeover. The vulnerability has a CVSS 3.1 score of 7.6 (high severity) and is resolved in ChurchCRM 7.1.0.
Potential Impact
An attacker with authenticated access and EditRecords privileges can inject malicious JavaScript into user profile pages, which executes in the context of any user viewing that page. This can lead to session hijacking and full account takeover of affected users, including administrators. The vulnerability does not affect availability but compromises confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.1.0. Users should upgrade to version 7.1.0 or later to remediate this issue. Since the vendor advisory or patch links are not explicitly provided, patch status is inferred from the description stating the fix is in 7.1.0. No additional mitigation steps are indicated.
CVE-2026-35534: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ChurchCRM CRM
Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS fires against any user who views that person's profile page, including administrators, enabling session hijacking and full account takeover. This vulnerability is fixed in 7.1.0.
CVSS v3.1
Score 7.6high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35534 is a stored XSS vulnerability in ChurchCRM's PersonView.php prior to version 7.1.0. The root cause is improper neutralization of input during web page generation, specifically the misuse of sanitizeText() as an output sanitizer for HTML attribute context. This function strips HTML tags but does not escape quote characters, enabling attackers with EditRecords privileges to inject JavaScript event handlers into the Facebook field of a person's profile. The malicious script executes when the profile page is viewed by any user, including administrators, allowing session hijacking and full account takeover. The vulnerability has a CVSS 3.1 score of 7.6 (high severity) and is resolved in ChurchCRM 7.1.0.
Potential Impact
An attacker with authenticated access and EditRecords privileges can inject malicious JavaScript into user profile pages, which executes in the context of any user viewing that page. This can lead to session hijacking and full account takeover of affected users, including administrators. The vulnerability does not affect availability but compromises confidentiality and integrity.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.1.0. Users should upgrade to version 7.1.0 or later to remediate this issue. Since the vendor advisory or patch links are not explicitly provided, patch status is inferred from the description stating the fix is in 7.1.0. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-03T02:15:39.281Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d52a46aaed68159a30f8aa
Added to database: 4/7/2026, 4:01:10 PM
Last enriched: 4/15/2026, 12:24:41 PM
Last updated: 6/10/2026, 3:51:35 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.