CVE-2026-35574

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c	Exploit Vendor Advisory
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

History

16 Apr 2026, 17:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:churchcrm:churchcrm::::::::
First Time		Churchcrm churchcrm Churchcrm
References	~~() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c -~~	() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c - Exploit, Vendor Advisory

07 Apr 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c -~~	() https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c -

07 Apr 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 17:16

Updated : 2026-04-16 17:49

NVD link : CVE-2026-35574

Mitre link : CVE-2026-35574

CVE.ORG link : CVE-2026-35574

JSON object : View

Products Affected

churchcrm

churchcrm

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-35574", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-04-07T17:16:32.963", "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3."}], "lastModified": "2026-04-16T17:49:56.133", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}