Plataforma
php
Componente
churchcrm-crm
Corrigido em
6.5.4
CVE-2026-35573 describes a Remote Code Execution (RCE) vulnerability discovered in ChurchCRM, an open-source church management system. This flaw allows authenticated administrators to upload arbitrary files, potentially leading to complete system compromise. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
The impact of this vulnerability is severe. An attacker, posing as an authenticated administrator, can leverage the path traversal flaw in the backup restore functionality to upload malicious files. These files can overwrite Apache’s .htaccess configuration files, granting the attacker control over web server behavior. This control can be used to execute arbitrary code on the server, potentially leading to data breaches, system takeover, and further lateral movement within the network. The ability to modify .htaccess files provides a direct path to code execution, bypassing standard security measures. Successful exploitation could expose sensitive church data, including member information, financial records, and internal communications.
This vulnerability was publicly disclosed on April 7, 2026. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. The vulnerability's reliance on authentication means attackers would need to compromise an administrator account, but the potential impact justifies immediate attention. No KEV listing is currently available.
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at immediate risk. Shared hosting environments where ChurchCRM is installed are particularly vulnerable, as a compromise of one account could potentially impact other users on the same server. Organizations relying on ChurchCRM for sensitive member data and financial management are especially vulnerable.
• linux / server: Monitor Apache access logs for unusual file uploads to /var/www/html/tmp_attach/ChurchCRMBackups/. Look for attempts to upload files with names containing .htaccess or other potentially malicious extensions.
grep -i 'tmp_attach/ChurchCRMBackups/.*\.htaccess' /var/log/apache2/access.log• generic web: Use curl to test the backup restore endpoint with a malicious filename. Check the server's response for any errors or unexpected behavior.
curl -X POST -F '[email protected]' <churchcrm_url>/backup/restore.phpdisclosure
Status do Exploit
EPSS
0.34% (percentil 57%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-35573 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider restricting file upload permissions for the backup restore functionality. Implement strict input validation on the $rawUploadedFile['name'] parameter to prevent arbitrary filenames. As a temporary workaround, configure the web server to disallow .htaccess file overrides or restrict access to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. After upgrading, verify the fix by attempting a backup and restore operation with a file containing a malicious filename to ensure the vulnerability is no longer exploitable.
Atualize ChurchCRM para a versão 6.5.3 ou posterior para mitigar a vulnerabilidade de path traversal. Esta atualização corrige o problema ao validar corretamente os nomes dos arquivos carregados, evitando a possibilidade de sobrescrever arquivos de configuração de Apache .htaccess.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-35573 is a critical Remote Code Execution vulnerability affecting ChurchCRM versions 6.5.0 through 6.5.2, allowing authenticated administrators to upload arbitrary files and execute code.
If you are running ChurchCRM version 6.5.0, 6.5.1, or 6.5.2, you are vulnerable to this RCE vulnerability. Upgrade to 6.5.3 immediately.
The recommended fix is to upgrade ChurchCRM to version 6.5.3 or later. As a temporary workaround, restrict file upload permissions and disable .htaccess overrides.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the ChurchCRM security advisory for detailed information and updates: [https://www.churchcrm.org/security/advisories](https://www.churchcrm.org/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.