CVE-2026-35534

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0

Description ChurchCRM is an open-source church management system. A stored cross-site scripting issue exists in the PersonView.php file because of the incorrect use of sanitizeText() as an output sanitizer for an HTML attribute context. The function only removes HTML tags and does not escape quote characters, allowing an attacker to break out of the href attribute and inject arbitrary JavaScript event handlers. Any authenticated user with the EditRecords role can store the payload in a person's Facebook field. The XSS is triggered against any user who views that person's profile page, including administrators, potentially enabling session hijacking and full account takeover.

Recommendations Update to version 7.1.0 or later.