CVE-2026-35574
Published: 07 April 2026
Summary
CVE-2026-35574 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the insufficient input sanitization in the Note Editor by requiring validation of user inputs to prevent storage of malicious JavaScript payloads.
SI-15 mitigates execution of stored XSS by enforcing output filtering when rendering notes in users' browsers.
SI-2 ensures timely flaw remediation through patching ChurchCRM to version 6.5.3 or later, as recommended in the security advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app (ChurchCRM) directly enables exploitation of the application (T1190) and execution of attacker-supplied JavaScript in victim browsers (T1059.007), facilitating session hijacking and privilege escalation.
NVD Description
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators.…
more
This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.
Deeper analysisAI
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting ChurchCRM, an open-source church management system, in versions prior to 6.5.3. The flaw resides in the Note Editor component, where insufficient input sanitization allows malicious payloads to be stored and later rendered as executable JavaScript in users' browsers. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with network accessibility but requiring low privileges and user interaction.
An authenticated attacker with note-adding permissions can exploit this by injecting arbitrary JavaScript code into a note, which persists and executes in the context of any other user's browser viewing that note, including administrators. Successful exploitation enables session hijacking, privilege escalation, and unauthorized access to sensitive church member data, potentially compromising the entire application's security for affected users.
The ChurchCRM security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c confirms the issue and states that it is fully remediated in version 6.5.3, recommending immediate upgrades for all prior installations. No workarounds are detailed beyond patching.
Details
- CWE(s)