CVE-2026-35575
Published: 07 April 2026
Summary
CVE-2026-35575 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user inputs in the group-creation feature to prevent injection of malicious JavaScript.
Mandates filtering of information outputs when rendering group pages to block automatic execution of stored XSS payloads in administrators' browsers.
Ensures timely remediation of the specific flaw through patching to ChurchCRM version 6.5.3 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in web app enables privilege escalation via client-side JS execution (T1068, T1059.007) and direct session cookie theft (T1539) for admin takeover.
NVD Description
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views…
more
the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.
Deeper analysisAI
CVE-2026-35575 is a Stored Cross-Site Scripting (Stored XSS) vulnerability in ChurchCRM, an open-source church management system, affecting versions prior to 6.5.3. The issue exists in the admin panel’s group-creation feature, where malicious JavaScript can be injected due to inadequate input validation and sanitization. It is associated with CWE-79 (Cross-Site Scripting) and CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag), earning a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
Any authenticated user with group-creation privileges can exploit this vulnerability by injecting malicious JavaScript during group creation. The payload is stored and executes automatically in an administrator’s browser when they view the affected page, allowing theft of the administrator’s session cookies and potentially enabling full administrative account takeover.
The vulnerability is fixed in ChurchCRM 6.5.3. Organizations should upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w.
Details
- CWE(s)