External risk intelligence

RockRMS Cross-Site Scripting in User Profiles Affects Social Media Links.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-36748

RockRMS is a web-based church management system typically deployed as a public-facing or organization-wide web application. While the vulnerability requires a user profile, these platforms are commonly accessible over the internet to staff and members, making the web interface and its features reachable in typical deployments.

Cross-site Scripting

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects RockRMS, a church management system, allowing for cross-site scripting through social media links in user profiles. The high severity rating indicates a significant potential risk if exploited. The main concern is confirming if our organization utilizes this specific software and, if so, assessing the exposure.

  • Flaw in church software's social media links.
  • Potential for unauthorized actions if exploited.
  • Confirm software use and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking a logged-in user into clicking a specially crafted link. If the user is authenticated and has permission to edit their profile, they can be directed to a page where a malicious script is embedded within a social media link. This script would then execute within the context of the victim's browser session.

  • Requires authenticated user access.
  • Triggered by clicking a malicious link.
  • Leads to potential data theft and unauthorized actions.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute malicious scripts in a user's browser when they interact with a compromised social media link on a user profile. This may lead to unauthorized access to sensitive information or actions performed on behalf of the affected user, depending on their privileges and the application's context.

  • User profile data could be exposed.
  • Via a crafted social media link.
  • Unauthorized actions may be performed.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects RockRMS, a web-based church management system. The most practical first step is for the platform or application owner to identify all instances of RockRMS, determine their reachability and criticality, and then confirm the accountable owner for remediation planning. Coordination with the vendor may be necessary.

  • Platform or application owners should manage this.
  • Verify RockRMS instance reachability and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is RockRMS?

RockRMS is a web-based management platform designed for churches and religious organizations. It functions as a central database to handle member data, communications, and volunteer scheduling. Because it manages sensitive community information, it is often deployed as a web application that remains accessible to staff, volunteers, or members via a browser.

What does CVE-2026-36748 mean?

This CVE describes a Cross-Site Scripting (XSS) vulnerability, classified as CWE-79. In plain terms, this means the software does not properly sanitize data entered into social media profile fields. An attacker can inject malicious code into these fields, which the application then unintentionally displays and executes in the browsers of other people viewing those profiles.

How is this vulnerability triggered?

An attacker must trick a logged-in user into interacting with a specially crafted social media link within a profile. Simply navigating the site or viewing a standard profile does not trigger the vulnerability. The script runs only when a victim is authenticated and actively views or interacts with the specific malicious link injected into the profile.

Is my organization at risk?

According to Halo Surface Signal, risk depends on how your instance is hosted. Because RockRMS is typically deployed as a web-accessible application for staff or members, it is often reachable over the internet. If your platform is publicly accessible or allows users to manage their own profiles, your instance likely falls within the scope of this security concern.

What should I do first to address this?

Start by identifying all instances of RockRMS running within your environment. Once you have a list of deployments, determine which are accessible to users or the public to gauge potential exposure. Coordinate with your IT or application owners to track these systems and prepare for vendor-supplied updates or security guidance as it becomes available.

References