CVE-2026-36748: High-Severity Stored XSS in RockRMS via Social Media Profile Links

Overview

A high-severity stored cross-site scripting (XSS) vulnerability tracked as CVE-2026-36748 has been disclosed in RockRMS, the open-source church management system widely deployed by religious organizations. The vulnerability exists in the social media links field of user profiles and carries a CVSS v3.1 base score of 9.0 (Critical).

The flaw affects RockRMS versions up to and including v16.13, with the fix available beginning in v17.7.0.

Technical Details

The vulnerability arises because RockRMS fails to adequately sanitize or encode user-supplied input in the social media link fields of user profiles before rendering that content to other authenticated users. An attacker with a valid (potentially low-privileged) account can store a malicious JavaScript payload in their profile's social media link field. When an administrator or other user views the profile, the script executes in the victim's browser context.

This stored XSS vector is particularly impactful in RockRMS deployments because:

Administrators with elevated privileges routinely review and manage user profiles
Successful exploitation in an admin context can lead to full application compromise, including credential harvesting, session token theft, and arbitrary administrative actions
The flaw requires no special configuration — any standard RockRMS installation running an affected version is vulnerable

CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected Versions

Version	Status
v16.13 and below	Vulnerable
v17.0.x through v17.6.x	Vulnerable
v17.7.0 and above	Patched

Impact

A successful attack allows the injected script to run with the full privileges of the viewing user's browser session. Potential impacts include:

Session hijacking — theft of authentication cookies to impersonate administrators
Credential harvesting — overlay of fake login prompts
Privilege escalation — using admin sessions to create new admin accounts or modify system configuration
Data exfiltration — access to congregation member data, donation records, and personal information managed within RockRMS

Mitigation and Remediation

Upgrade to RockRMS v17.7.0 or later immediately. This is the primary remediation.
Audit user profiles in affected installations for suspicious content in social media link fields prior to upgrading.
Restrict profile editing to trusted users until the upgrade can be applied.
Review admin account activity logs for signs of unauthorized actions that may indicate the vulnerability was exploited prior to discovery.

References

Overview

The flaw affects RockRMS versions up to and including v16.13, with the fix available beginning in v17.7.0.

Technical Details

This stored XSS vector is particularly impactful in RockRMS deployments because:

Administrators with elevated privileges routinely review and manage user profiles

Successful exploitation in an admin context can lead to full application compromise, including credential harvesting, session token theft, and arbitrary administrative actions

The flaw requires no special configuration — any standard RockRMS installation running an affected version is vulnerable

CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Version

Status

v16.13 and below

Vulnerable

v17.0.x through v17.6.x

Vulnerable

v17.7.0 and above

Patched

Impact

A successful attack allows the injected script to run with the full privileges of the viewing user's browser session. Potential impacts include:

Session hijacking — theft of authentication cookies to impersonate administrators

Credential harvesting — overlay of fake login prompts

Privilege escalation — using admin sessions to create new admin accounts or modify system configuration

Data exfiltration — access to congregation member data, donation records, and personal information managed within RockRMS

Mitigation and Remediation

Upgrade to RockRMS v17.7.0 or later immediately. This is the primary remediation.

Audit user profiles in affected installations for suspicious content in social media link fields prior to upgrading.

Restrict profile editing to trusted users until the upgrade can be applied.

Review admin account activity logs for signs of unauthorized actions that may indicate the vulnerability was exploited prior to discovery.

CVE-2026-36748: High-Severity Stored XSS in RockRMS via Social Media Profile Links

Affected Products

Overview

Technical Details

Affected Versions

Impact

Mitigation and Remediation

References

CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File

CVE-2026-42457: vCluster Platform Stored XSS via templateRef Name Field

CVE-2026-44212: PrestaShop Stored XSS in Customer Service

CVE-2026-36748: High-Severity Stored XSS in RockRMS via Social Media Profile Links

Affected Products

Overview

Technical Details

Affected Versions

Impact

Mitigation and Remediation

References

CVE-2015-20115: RealtyScript 4.0.2 Stored XSS via File

CVE-2026-42457: vCluster Platform Stored XSS via templateRef Name Field

CVE-2026-44212: PrestaShop Stored XSS in Customer Service