CVE-2026-35576

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.0.0

Description ChurchCRM, an open-source church management system, contains a stored cross-site scripting (XSS) issue in the Person Property Management subsystem. An authenticated user can inject arbitrary JavaScript code through dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access the printable view, potentially leading to session hijacking or full account compromise.

Recommendations Update to version 7.0.0 or later.