CVE-2026-35575

CVSS v3.1

8.0

High

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1004CWE-79

Related Identifiers

CVE-2026-35575

Affected Products

Crm

CVE-2026-35575

Weakness Enumeration

Related Identifiers

Affected Products

References · 2