CVE-2026-35534
ChurchCRM prior to version 7.1.0 is vulnerable to a stored cross-site scripting (XSS) in PersonView.php due to improper use of sanitizeText() as an output sanitizer for HTML attribute context. The function strips tags but does not escape quote characters, enabling an attacker with the EditRecords...