Plattform
php
Komponente
churchcrm-crm
Behoben in
6.5.4
CVE-2026-35573 describes a critical Remote Code Execution (RCE) vulnerability discovered in ChurchCRM, an open-source church management system. This flaw allows authenticated administrators to upload arbitrary files, potentially leading to complete system compromise. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
The impact of CVE-2026-35573 is severe. An attacker exploiting this vulnerability can gain remote code execution on the ChurchCRM server with administrator privileges. This allows them to execute arbitrary commands, potentially leading to data theft, system modification, or complete system takeover. The ability to overwrite Apache .htaccess files is particularly concerning, as it provides a straightforward path to gain control over web server configuration and execute malicious code. This could lead to defacement, malware distribution, or further exploitation of the underlying server infrastructure. The attack vector is relatively simple, requiring only authentication as an administrator.
This vulnerability was publicly disclosed on April 7, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the critical nature of the vulnerability make it a likely target for malicious actors. The vulnerability's presence in an open-source church management system could make it particularly attractive to attackers targeting religious organizations. No KEV listing is currently available.
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at immediate risk. Shared hosting environments where ChurchCRM is installed are particularly vulnerable, as a compromise of one account could potentially impact other users on the same server. Organizations relying on ChurchCRM for sensitive member data and financial management are especially vulnerable.
• linux / server: Monitor Apache access logs for unusual file uploads to /var/www/html/tmp_attach/ChurchCRMBackups/. Look for attempts to upload files with names containing .htaccess or other potentially malicious extensions.
grep -i 'tmp_attach/ChurchCRMBackups/.*\.htaccess' /var/log/apache2/access.log• generic web: Use curl to test the backup restore endpoint with a malicious filename. Check the server's response for any errors or unexpected behavior.
curl -X POST -F '[email protected]' <churchcrm_url>/backup/restore.phpdisclosure
Exploit-Status
EPSS
0.34% (57% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35573 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the backup restore functionality. Implement strict input validation on the $rawUploadedFile['name'] parameter to prevent arbitrary filenames. As a temporary workaround, consider disabling the backup/restore functionality entirely if it is not essential. Monitor web server logs for suspicious file uploads or modifications to .htaccess files. After upgrading, confirm the fix by attempting a backup and restore operation with a benign file to ensure the vulnerability is no longer exploitable.
Aktualisieren Sie ChurchCRM auf Version 6.5.3 oder höher, um die Path-Traversal-Schwachstelle zu beheben. Dieses Update behebt das Problem, indem die Namen hochgeladener Dateien korrekt validiert werden, wodurch die Möglichkeit, Apache .htaccess-Konfigurationsdateien zu überschreiben, verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35573 is a critical Remote Code Execution vulnerability affecting ChurchCRM versions 6.5.0 through 6.5.2, allowing authenticated administrators to upload arbitrary files and execute code.
If you are running ChurchCRM version 6.5.0, 6.5.1, or 6.5.2, you are vulnerable to this RCE vulnerability. Upgrade to 6.5.3 immediately.
The recommended fix is to upgrade ChurchCRM to version 6.5.3 or later. As a temporary workaround, restrict file upload permissions and disable .htaccess overrides.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the ChurchCRM security advisory for detailed information and updates: [https://www.churchcrm.org/security/advisories](https://www.churchcrm.org/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.