Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-36748 -- CVSS 9.0 Vulnerability Briefing

CVE-2026-36748 | CVSS 9.0 (Critical) | Exploit: No known exploit

What Is It

A stored Cross-Site Scripting (XSS) vulnerability exists in Rock RMS, a church management platform, affecting versions up to and including v16.13 and versions prior to v17.7.0, specifically within the Social Media links field of user profiles.

Technical Detail

The flaw arises from insufficient sanitization of user-supplied input in the Social Media links section of Rock RMS user profiles, allowing an attacker to inject and persist malicious JavaScript that executes in the browser context of any user who views the affected profile. Exploitation requires the ability to create or modify a user profile, which may be achievable by any authenticated user depending on platform configuration. If triggered against a privileged user such as an administrator, the injected script could be used to hijack sessions, steal credentials, perform unauthorized actions on behalf of the victim, or facilitate further compromise of the application.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, meaning there is no confirmed public proof-of-concept or observed in-the-wild exploitation as of June 10, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability.

What To Do

Organizations running Rock RMS should upgrade to version v17.7.0 or later as the primary remediation step, as this release is indicated to address the vulnerability. Until patching is complete, administrators should review and restrict profile editing permissions to limit the attack surface, and consider auditing existing Social Media link fields in user profiles for any suspicious or unexpected content. Security teams should monitor application logs for unusual profile modification activity and implement a Content Security Policy where feasible to reduce the impact of any XSS execution. Given the CVSS score of 9.0, patching should be treated as high priority even in the absence of confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →