How to fix CVE-2026-35575?

Within 24 hours: Identify all ChurchCRM deployments and confirm versions currently running (check for versions prior to 6.5.3). Immediately restrict group-creation privileges to only fully trusted administrators and disable this functionality where operationally feasible. Within 7 days: Audit all group objects created in the past 90 days for suspicious content or special characters in group names. Review administrator session logs for unexplained access patterns. Within 30 days: Upgrade ChurchCRM to version 6.5.3 or later as soon as vendor releases the patched version, or migrate to an alternative solution if patch timeline is unacceptable.

CVE-2026-35575

EUVD-2026-19773 HIGH

2026-04-07 GitHub_M

8.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 18:00 euvd

EUVD-2026-19773

Analysis Generated

Apr 07, 2026 - 18:00 vuln.today

CVE Published

Apr 07, 2026 - 17:08 nvd

HIGH 8.0

Description

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.

Analysis

Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover through malicious group names. Authenticated users with group-creation privileges can inject JavaScript that executes when administrators view group listings, stealing session cookies. …

Remediation

Within 24 hours: Identify all ChurchCRM deployments and confirm versions currently running (check for versions prior to 6.5.3). Immediately restrict group-creation privileges to only fully trusted administrators and disable this functionality where operationally feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

CVE-2026-35575 vulnerability details – vuln.today

Back

CVE-2026-35575

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-35575

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code