CVE-2026-35576 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system. The vulnerability exists within the Person Property Management subsystem and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise.
This issue persists in versions that were previously patched for CVE-2023-38766, indicating an incomplete fix for the original vulnerability. The vulnerability has been addressed in version 7.0.0.
Critical Impact
Authenticated attackers can inject persistent JavaScript payloads that execute in the context of other users' sessions, potentially leading to session hijacking, credential theft, or complete account takeover of administrative accounts.
Affected Products
- ChurchCRM versions prior to 7.0.0
- ChurchCRM Person Property Management subsystem
- ChurchCRM profile view and printable view functionality
Discovery Timeline
- 2026-04-07 - CVE-2026-35576 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35576
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) resides in ChurchCRM's Person Property Management subsystem. The vulnerability allows an authenticated user with the ability to assign person properties to inject malicious JavaScript code that persists in the database. When other users—including administrators—view the affected person's profile or access the printable view, the stored payload executes within their browser context.
The attack requires low privileges (any authenticated user) and user interaction (victim must view the affected profile). The scope of the vulnerability is changed, meaning the impact extends beyond the vulnerable component to affect other users' sessions. This can result in high confidentiality and integrity impact, as attackers can steal session tokens, perform actions on behalf of administrators, or exfiltrate sensitive church member data.
Root Cause
The root cause of this vulnerability is insufficient input sanitization and output encoding in the Person Property Management module. When user-controlled input is stored as person property values, the application fails to properly sanitize or encode the data before rendering it in the browser. This allows HTML and JavaScript content to be stored and subsequently executed when the property is displayed.
The fact that this vulnerability exists despite a previous patch for CVE-2023-38766 suggests that the original fix was incomplete, potentially missing certain input vectors or display contexts where the malicious content could be rendered.
Attack Vector
The attack is network-based and follows a typical stored XSS attack pattern:
- An authenticated attacker navigates to the Person Property Management section
- The attacker creates or modifies a person property, injecting JavaScript code in a property value field
- The malicious payload is stored in the database without proper sanitization
- When another user (such as an administrator) views the affected person's profile or generates a printable view, the JavaScript executes in their browser
- The attacker's code can then steal session cookies, perform CSRF attacks, or redirect the victim to phishing pages
The vulnerability can be exploited through dynamically assigned person properties, which are custom fields that administrators can create for storing additional information about church members. The printable view context is particularly dangerous as it may be used by administrators during routine operations.
Detection Methods for CVE-2026-35576
Indicators of Compromise
- Unusual JavaScript patterns stored in person property values in the ChurchCRM database
- Person property values containing HTML tags such as <script>, <img> with onerror handlers, or event attributes
- Unexpected network requests from user browsers to external domains when viewing person profiles
- Session tokens or cookies being transmitted to unauthorized endpoints
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in HTTP POST requests to person property endpoints
- Monitor database entries in person property tables for suspicious content patterns including script tags and event handlers
- Review web server access logs for unusual patterns in requests to profile view and printable view endpoints
- Deploy browser-based XSS detection mechanisms such as Content Security Policy (CSP) violation reporting
Monitoring Recommendations
- Enable audit logging for all person property creation and modification operations
- Configure CSP headers with report-uri to capture attempted XSS execution
- Monitor for anomalous session behavior that could indicate session hijacking
- Implement real-time alerting for database modifications containing known XSS patterns
How to Mitigate CVE-2026-35576
Immediate Actions Required
- Upgrade ChurchCRM to version 7.0.0 or later immediately
- Review all existing person property values in the database for potentially malicious content
- Audit recent user activity logs to identify any exploitation attempts
- Consider temporarily restricting access to person property management features until the patch is applied
Patch Information
The vulnerability has been fixed in ChurchCRM version 7.0.0. The patch was developed and merged via GitHub Pull Request #8016. Organizations should upgrade to the latest version to remediate this vulnerability.
For detailed technical information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-8r36-fvxj-26qv.
Workarounds
- Implement strict Content Security Policy (CSP) headers to prevent inline script execution
- Restrict person property management capabilities to trusted administrator accounts only
- Deploy a Web Application Firewall (WAF) with XSS detection rules in front of the ChurchCRM application
- Manually sanitize existing person property data by removing any HTML or JavaScript content from the database
- Consider disabling the printable view functionality until the patch can be applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
