CVE-2026-35573
Published: 07 April 2026
Summary
CVE-2026-35573 is a critical-severity Path Traversal (CWE-22) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 33.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation and error handling of the user-controlled $rawUploadedFile['name'] parameter in the backup restore function.
Requires timely flaw remediation by upgrading to ChurchCRM 6.5.3, which fixes the vulnerability in RestoreJob.php.
Restricts file names in uploads to safe patterns without traversal characters like '../', preventing arbitrary file placement in the tmp_attach directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app (ChurchCRM) backup restore allows authenticated admins to overwrite .htaccess for RCE, directly enabling exploitation of public-facing application (T1190) and exploitation for privilege escalation from admin to server-level access (T1068).
NVD Description
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists…
more
in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3.
Deeper analysisAI
CVE-2026-35573 is a path traversal vulnerability (CWE-22, CWE-434) in the backup restore functionality of ChurchCRM, an open-source church management system. Versions prior to 6.5.3 are affected, specifically in the src/ChurchCRM/Backup/RestoreJob.php component. The issue stems from the user-controlled $rawUploadedFile['name'] parameter, which allows authenticated administrators to upload files with arbitrary names to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. This can lead to remote code execution by overwriting Apache .htaccess configuration files. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Authenticated administrators with high privileges can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious backup file upload, attackers can traverse paths to place arbitrary files in sensitive locations, such as overwriting .htaccess files to enable code execution on the server. Successful exploitation grants high confidentiality, integrity, and availability impacts, with a changed scope due to the potential for server-wide effects.
The vulnerability is fixed in ChurchCRM version 6.5.3. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx.
Details
- CWE(s)