Platform
php
Component
churchcrm-crm
Fixed in
6.5.4
CVE-2026-35573 describes a Remote Code Execution (RCE) vulnerability discovered in ChurchCRM, an open-source church management system. This flaw allows authenticated administrators to upload arbitrary files, potentially leading to complete system compromise. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
The impact of this vulnerability is severe. An attacker, posing as an authenticated administrator, can leverage the path traversal flaw in the backup restore functionality to upload malicious files. These files can overwrite Apache’s .htaccess configuration files, granting the attacker control over web server behavior. This control can be used to execute arbitrary code on the server, potentially leading to data breaches, system takeover, and further lateral movement within the network. The ability to modify .htaccess files provides a direct path to code execution, bypassing standard security measures. Successful exploitation could expose sensitive church data, including member information, financial records, and internal communications.
This vulnerability was publicly disclosed on April 7, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. The vulnerability's reliance on authentication means attackers would need to compromise an administrator account, but the potential impact justifies immediate attention. No KEV listing is currently available.
Exploit Status
EPSS
0.34% (57% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35573 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the backup restore functionality. Implement strict input validation on the $rawUploadedFile['name'] parameter to prevent arbitrary filenames. As a temporary workaround, configure the web server to disallow .htaccess file overrides or restrict access to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. After upgrading, verify the fix by attempting a backup and restore operation with a file containing a malicious filename to ensure the vulnerability is no longer exploitable.
Update ChurchCRM to version 6.5.3 or later to mitigate the path traversal vulnerability. This update fixes the issue by correctly validating uploaded file names, preventing the possibility of overwriting Apache .htaccess configuration files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35573 is a critical Remote Code Execution vulnerability affecting ChurchCRM versions 6.5.0 through 6.5.2, allowing authenticated administrators to upload arbitrary files and execute code.
If you are running ChurchCRM version 6.5.0, 6.5.1, or 6.5.2, you are vulnerable to this RCE vulnerability. Upgrade to 6.5.3 immediately.
The recommended fix is to upgrade ChurchCRM to version 6.5.3 or later. As a temporary workaround, restrict file upload permissions and disable .htaccess overrides.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the ChurchCRM security advisory for detailed information and updates: [https://www.churchcrm.org/security/advisories](https://www.churchcrm.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.