Plattform
php
Komponente
churchcrm
Behoben in
6.5.4
CVE-2026-35575 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM, an open-source church management system. This vulnerability allows an attacker to inject malicious JavaScript code, potentially leading to the theft of administrator session cookies and complete account compromise. The vulnerability affects versions 6.5.0 through 6.5.2, and a patch is available in version 6.5.3.
The impact of this XSS vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code within the context of an administrator's session. This can be exploited to steal session cookies, effectively granting the attacker full administrative access to the ChurchCRM system. An attacker could then modify church records, access sensitive member data, or even compromise the entire system. The stored nature of the XSS means the malicious script persists until removed, potentially affecting multiple administrators over time. This vulnerability shares similarities with other XSS attacks where session hijacking is the primary goal, allowing for persistent compromise.
CVE-2026-35575 was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit.
Churches and religious organizations using ChurchCRM versions 6.5.0 through 6.5.2 are at direct risk. Organizations with limited IT security resources or those relying on shared hosting environments are particularly vulnerable, as they may be slower to apply security updates. Administrators with group-creation privileges are the most immediate targets.
• php: Examine ChurchCRM logs for suspicious POST requests to the group creation endpoint containing JavaScript payloads. Use grep to search for patterns like <script> or alert() within these logs.
• generic web: Monitor access logs for requests to the group creation endpoint with unusual user agents or referrer headers.
• generic web: Use curl to test the group creation endpoint with a simple XSS payload and observe the response for signs of script execution (e.g., an alert box).
curl -X POST -d 'group_name=<script>alert("XSS")</script>' http://churchcrm/admin/group_create.phpdisclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35575 is to immediately upgrade ChurchCRM to version 6.5.3 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious JavaScript injection attempts in the group-creation form. Carefully review and sanitize all user input, particularly when dealing with administrative functions. Regularly audit user roles and permissions to ensure that only authorized personnel have group-creation privileges. After upgrading, confirm the fix by attempting to create a group with a simple JavaScript payload (e.g., <script>alert('XSS')</script>) and verifying that the script does not execute.
Actualice ChurchCRM a la versión 6.5.3 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al validar correctamente la entrada del nombre del grupo, evitando la inyección de código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35575 is a Stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 6.5.0 through 6.5.2, allowing attackers to inject malicious JavaScript.
You are affected if you are using ChurchCRM versions 6.5.0, 6.5.1, or 6.5.2. Upgrade to 6.5.3 or later to resolve the issue.
Upgrade ChurchCRM to version 6.5.3 or later. As a temporary workaround, implement a WAF rule to block suspicious JavaScript injection attempts.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the ChurchCRM security advisories page for the latest information: [https://www.churchcrm.org/security](https://www.churchcrm.org/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.