CVE-2026-36748 identifies a Cross Site Scripting (XSS) vulnerability in RockRMS versions up to 16.13 and before 17.7.0. The issue arises from improper sanitization or validation of social media links in user profiles, enabling attackers to inject malicious scripts. This can lead to client-side code execution when other users view the affected profiles. No CVSS score or vendor advisory is available, and no patch or mitigation details have been published. The vulnerability is self-hosted and not cloud-based.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of users viewing the compromised profile, potentially leading to session hijacking, defacement, or other client-side impacts. There is no current evidence of active exploitation. The impact is limited to the affected versions of RockRMS and depends on user interaction with maliciously crafted social media links in profiles.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider restricting or validating social media link inputs in user profiles to prevent injection of malicious scripts. Monitoring for unusual activity related to user profiles may also be prudent. No official vendor mitigation or patch is currently documented.