5 matches found
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-35534
ChurchCRM prior to version 7.1.0 is vulnerable to a stored cross-site scripting (XSS) in PersonView.php due to improper use of sanitizeText() as an output sanitizer for HTML attribute context. The function strips tags but does not escape quote characters, enabling an attacker with the EditRecords...
CVE-2025-67876 ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking
ChurchCRM is an open-source church management system. A stored cross-site scripting XSS vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in th...
EUVD-2023-42539
Malicious code in bioql PyPI...