Skip to main content

Churchcrm CVE-2026-35574

| EUVD-2026-19772 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 security-advisories@github.com
XSS Privilege Escalation Authentication Bypass Churchcrm
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 16, 2026 - 17:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:04 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
6.5.3
EUVD ID Assigned
Apr 07, 2026 - 17:22 euvd
EUVD-2026-19772
Analysis Generated
Apr 07, 2026 - 17:22 vuln.today
CVE Published
Apr 07, 2026 - 17:16 nvd
HIGH 7.3

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.

AnalysisAI

Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticated user crafts malicious script in Note Editor
Delivery
Store XSS payload in database
Exploit
Admin views note containing payload
Execution
JavaScript executes in admin browser
Impact
Attacker hijacks session or escalates privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated ChurchCRM user account with note-adding permissions on versions prior to 6.5.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-high for ChurchCRM deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-level authenticated access (such as a volunteer account with note-adding permissions) crafts a malicious note containing JavaScript payload designed to steal session cookies or perform administrative actions. When a ChurchCRM administrator opens the Notes section to review or manage entries, the stored JavaScript executes in their browser context with full administrative privileges, silently transmitting their session token to the attacker's server. …
Remediation Upgrade ChurchCRM to version 6.5.3 or later, which contains vendor-released fixes for the stored XSS vulnerability in the Note Editor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all ChurchCRM deployments and confirm current version status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35574 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy