Cyber Resilience

CVE-2026-35575

High

Published: 07 April 2026

Published
07 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0004 14.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35575 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-35575 is a Stored Cross-Site Scripting (Stored XSS) vulnerability in ChurchCRM, an open-source church management system, affecting versions prior to 6.5.3. The issue exists in the admin panel’s group-creation feature, where malicious JavaScript can be injected due to inadequate input validation and sanitization. It is associated with CWE-79 (Cross-Site Scripting) and CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag), earning a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Any authenticated user with group-creation privileges can exploit this vulnerability by injecting malicious JavaScript during group creation. The payload is stored and executes automatically in an administrator’s browser when they view the affected page, allowing theft of the administrator’s session cookies and potentially enabling full administrative account takeover.

The vulnerability is fixed in ChurchCRM 6.5.3. Organizations should upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub Security Advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w.

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views…

more

the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS in web app enables privilege escalation via client-side JS execution (T1068, T1059.007) and direct session cookie theft (T1539) for admin takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39332Same product: Churchcrm Churchcrm
CVE-2026-39333Same product: Churchcrm Churchcrm
CVE-2026-35574Same product: Churchcrm Churchcrm
CVE-2026-35576Same product: Churchcrm Churchcrm
CVE-2026-39328Same product: Churchcrm Churchcrm
CVE-2026-35534Same product: Churchcrm Churchcrm
CVE-2026-35573Same product: Churchcrm Churchcrm
CVE-2025-68109Same product: Churchcrm Churchcrm
CVE-2026-24854Same product: Churchcrm Churchcrm
CVE-2026-39339Same product: Churchcrm Churchcrm

Affected Assets

churchcrm
churchcrm
≤ 6.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of user inputs in the group-creation feature to prevent injection of malicious JavaScript.

prevent

Mandates filtering of information outputs when rendering group pages to block automatic execution of stored XSS payloads in administrators' browsers.

prevent

Ensures timely remediation of the specific flaw through patching to ChurchCRM version 6.5.3 or later.

References