Platform
php
Component
churchcrm-crm
Opgelost in
6.5.4
CVE-2026-35573 describes a Remote Code Execution (RCE) vulnerability discovered in ChurchCRM, an open-source church management system. This flaw allows authenticated administrators to upload arbitrary files, potentially leading to complete system compromise. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
The impact of this vulnerability is severe. An attacker, posing as an authenticated administrator, can leverage the path traversal flaw in the backup restore functionality to upload malicious files. These files can overwrite Apache’s .htaccess configuration files, granting the attacker control over web server behavior. This control can be used to execute arbitrary code on the server, potentially leading to data breaches, system takeover, and further lateral movement within the network. The ability to modify .htaccess files provides a direct path to code execution, bypassing standard security measures. Successful exploitation could expose sensitive church data, including member information, financial records, and internal communications.
This vulnerability was publicly disclosed on April 7, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. The vulnerability's reliance on authentication means attackers would need to compromise an administrator account, but the potential impact justifies immediate attention. No KEV listing is currently available.
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at immediate risk. Shared hosting environments where ChurchCRM is installed are particularly vulnerable, as a compromise of one account could potentially impact other users on the same server. Organizations relying on ChurchCRM for sensitive member data and financial management are especially vulnerable.
• linux / server: Monitor Apache access logs for unusual file uploads to /var/www/html/tmp_attach/ChurchCRMBackups/. Look for attempts to upload files with names containing .htaccess or other potentially malicious extensions.
grep -i 'tmp_attach/ChurchCRMBackups/.*\.htaccess' /var/log/apache2/access.log• generic web: Use curl to test the backup restore endpoint with a malicious filename. Check the server's response for any errors or unexpected behavior.
curl -X POST -F '[email protected]' <churchcrm_url>/backup/restore.phpdisclosure
Exploit Status
EPSS
0.34% (57% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-35573 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the backup restore functionality. Implement strict input validation on the $rawUploadedFile['name'] parameter to prevent arbitrary filenames. As a temporary workaround, configure the web server to disallow .htaccess file overrides or restrict access to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. After upgrading, verify the fix by attempting a backup and restore operation with a file containing a malicious filename to ensure the vulnerability is no longer exploitable.
Werk ChurchCRM bij naar versie 6.5.3 of hoger om de path traversal kwetsbaarheid te mitigeren. Deze update corrigeert het probleem door de namen van geüploade bestanden correct te valideren, waardoor de mogelijkheid om Apache .htaccess configuratiebestanden te overschrijven wordt voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-35573 is a critical Remote Code Execution vulnerability affecting ChurchCRM versions 6.5.0 through 6.5.2, allowing authenticated administrators to upload arbitrary files and execute code.
If you are running ChurchCRM version 6.5.0, 6.5.1, or 6.5.2, you are vulnerable to this RCE vulnerability. Upgrade to 6.5.3 immediately.
The recommended fix is to upgrade ChurchCRM to version 6.5.3 or later. As a temporary workaround, restrict file upload permissions and disable .htaccess overrides.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the ChurchCRM security advisory for detailed information and updates: [https://www.churchcrm.org/security/advisories](https://www.churchcrm.org/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.