CVE-2026-35575

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM, an open-source church management system, contains a Stored Cross-Site Scripting (Stored XSS) issue in the admin panel’s group-creation feature. A user with group-creation privileges can inject malicious JavaScript that executes when an administrator views the page. This can lead to the theft of the administrator’s session cookies and potential full administrative account takeover.

Recommendations Update to version 6.5.3 or later.