CVE-2026-35534 — ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored…
🚨 CVE-2026-35534 ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context.
Stored XSS in PersonView.php via Facebook Field Attribute Injection
github.com
What This Means For You
- New vulnerability disclosed — verify if your stack is exposed.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35534 | Vulnerability | CVE-2026-35534 |
🔎
Get the full picture on this threat
Use /org to search affected organizations, generate IOC briefs with /brief, and set watchlist alerts — inside Telegram.
Try Intel Bot →
Source & Attribution
| Source Platform | Telegram |
| Channel | CVE Notify |
| Channel ID | 1129491012 |
| Message ID | 158872 |
| Published | April 11, 2026 at 00:26 UTC |
| Original Link | https://github.com/ChurchCRM/CRM/security/advisories/GHSA... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.