CVE-2026-36748: XSS in Rock RMS Leads to Privilege Escalation

Rock RMS is an open-source church and non-profit management platform maintained by Spark Development Network. During a routine web application penetration test, I discovered a cross-site scripting (XSS) vulnerability within the Rock RMS platform. I wanted to see how far I could take the XSS and stood up Rock RMS within a virtual lab and began further testing. After a few trial-and-error attempts, I successfully crafted a custom XSS payload that can escalate the privileges of a standard user account to an administrator just by having an administrator view the malicious users’ profile page.

While this vulnerability does not require direct interaction from the target user, the targeted administrator does need to view the malicious user profile page to trigger the XSS payload and escalate privileges. This could be accomplished by waiting for an administrator to view profiles of new accounts or even by social engineering a website administrator into looking at the profile by requesting support from the target organization, which may trigger the administrator to view the user’s page to troubleshoot a potential issue. 

This vulnerability stems from a lack of input sanitization in the Social Media Links within the My Account user profile page. A specially crafted update can lead to arbitrary JavaScript execution within the context of an administrator’s browser session.

Summary

• CVE ID: CVE-2026-36748
• Release Date: June 1, 2026
• Severity: High
• CVSS: 9.0 (High) CVSS3.1:/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C
• Affected Product: Rock RMS by SparkDevNetwork
• Tested Versions: 16.13, 17.7
• Affected Versions: Known to affect <= 17.7.0 and possibly newer versions that are not publicly available.

What’s Affected

This cross-site scripting vulnerability affects Rock RMS with the Social Media Links feature enabled for user profiles. Once enabled on the site, the My Account page for logged in users contains an input field intended for links to social networks. This field is not sanitized server-side.

I’ve tested this vulnerability on versions 16.13 and 17.7 of Rock RMS. SparkDevNetwork releases publicly after one year of early access. As such, it is possible this has been patched in newer pre-release builds. However, these builds were unavailable for testing at the time of publishing. In addition, the vendor has been unresponsive in attempts to report the vulnerability and ensure a patch is made available. 

It is very likely that all versions of Rock RMS prior to and including 17.7 are affected, although they were not tested here. 

Mitigation

Simply disable the Social Media Links within user profiles to remove this attack surface and prevent this attack. Browse to Admin > Settings > General > Person Attributes .

The Social Media types are listed there.

Open each social media type and uncheck the Active checkbox.

Proof of Concept

This vulnerability requires Social Media Links to be enabled, which exposes a Twitter, Facebook, Instagram, or Snapchat field in the My Account page for a logged in user. These fields can be enabled by checking the Active checkbox described above in the Mitigation section.

Register a user account with standard user permissions:

Go to My Account and then click the button to Update Profile:

Open Developer Tools in your browser and execute the following JavaScript in the console to obtain your GUID. This will be used in the XSS payload to escalate privileges:

document.querySelector(`[id*=hfEditPersonGuid]`).value

Update a Social Media Link with placeholder text and click Save. Intercept this request in Burp Suite or another proxy:

In the interception proxy, replay the POST update to /MyAccount and replace the placeholder text with the following payload. Ensure you add the GUID that you acquired above to the payload:

+'+autofocus+onfocus='fetch(`/api/People?$filter=Guid+eq+guid\u0027<INSERT_GUID_HERE>\u0027%26$select=Id`).then(r=>r.json()).then(d=>fetch(`/api/GroupMembers`,{method:`POST`,headers:{[`Content-Type`]:`application/json`},body:JSON.stringify({IsSystem:false,GroupId:2,PersonId:d[0].Id,GroupRoleId:1,GroupMemberStatus:1})}))'

Confirm access to /Admin is restricted:

Wait for an Admin user or coerce an Admin user to view your malicious user profile. For the following proof of concept, I used the RockAdmin administrator user to view the malicious account’s profile:

Upon visiting the profile page, the XSS payload executes and adds the malicious user to the RSR – Rock Administration group.

Next, as the Malicious User, visit the /Admin site while logged in. You now have full administrative access to the Rock RMS site:

Viewing the Malicious User’s group membership, we can see that Malicious User is a member of the RSR – Rock Administration group:

Disclosure Timeline

This vulnerability disclosure follows the industry standard 90-day responsible disclosure policy.

• March 1, 2026: Vulnerability reported to SparkDevNetwork
• March 11, 2026: First follow-up without response
• April 3, 2026: Second follow-up without response
• May 18, 2026: CVE-2026-36748 assigned to this vulnerability
• May 18, 2026: Third follow-up without response
• June 1, 2026: Initial write-up and public disclosure

References

• https://www.cve.org/CVERecord?id=CVE-2026-36748
• https://nvd.nist.gov/vuln/detail/CVE-2026-36748 (Publishing may be delayed past June 1 on NIST)
• https://www.rockrms.com