6.5.4
CVE-2026-35574 describes a stored Cross-Site Scripting (XSS) vulnerability within ChurchCRM, an open-source church management system. This vulnerability allows authenticated users with note-adding permissions to inject malicious JavaScript code, impacting other users, including administrators. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript code within the browsers of other ChurchCRM users. This presents a significant risk of session hijacking, allowing the attacker to impersonate legitimate users and gain unauthorized access to sensitive church member data. The potential impact extends to administrators, enabling privilege escalation and complete control over the ChurchCRM instance. Successful exploitation could lead to data breaches, defacement of the application, and disruption of church operations. While the vulnerability requires authentication, the ease of note creation in many ChurchCRM configurations could make it relatively accessible to malicious actors.
CVE-2026-35574 was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing, but the XSS nature of the vulnerability makes it likely that a POC will emerge. The vulnerability is not currently listed on CISA KEV. Given the ease of exploitation inherent in XSS vulnerabilities, and the potential for data compromise, it is prudent to prioritize remediation.
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at direct risk. Organizations with shared hosting environments or those that have granted broad note-adding permissions to multiple users are particularly vulnerable, as the attack surface is increased.
• php: Examine ChurchCRM logs for suspicious JavaScript code being injected into notes. Search for unusual characters or patterns commonly associated with XSS payloads.
grep -i 'alert\(' /var/log/churchcrm/error.log• generic web: Monitor access logs for requests containing suspicious URL parameters or POST data that could be indicative of XSS attempts.
grep -i '<script' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35574 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Note Editor. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review ChurchCRM configurations to ensure that note-adding permissions are granted only to authorized personnel.
Actualice ChurchCRM a la versión 6.5.3 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar. Revise los registros de auditoría para detectar cualquier actividad sospechosa después de la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 6.5.0 through 6.5.2, allowing attackers to execute JavaScript code.
You are affected if you are running ChurchCRM versions 6.5.0, 6.5.1, or 6.5.2. Upgrade to 6.5.3 to mitigate the risk.
Upgrade ChurchCRM to version 6.5.3 or later. Implement input validation and output encoding as an interim measure.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation if left unpatched.
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。