CVE-2026-35574 Overview
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability affecting ChurchCRM, an open-source church management system. Prior to version 6.5.3, the Note Editor component allows authenticated users with note-adding permissions to inject and execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This vulnerability can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data.
Critical Impact
Authenticated attackers can inject malicious JavaScript that executes in administrator sessions, potentially leading to complete account takeover, data theft, and unauthorized access to sensitive personal information of church members.
Affected Products
- ChurchCRM versions prior to 6.5.3
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35574 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35574
Vulnerability Analysis
This stored XSS vulnerability exists in ChurchCRM's Note Editor functionality. The application fails to properly sanitize user-supplied input when notes are created or edited, allowing malicious JavaScript code to be stored in the database. When other users, including administrators, view the affected notes, the malicious script executes within their browser session with the privileges of the viewing user.
The attack requires a low-privileged authenticated account with permissions to add notes—a common permission level in church management systems. Once the malicious payload is stored, it persists and executes each time a victim views the compromised note, making this a particularly dangerous attack vector in multi-user environments.
Root Cause
The vulnerability stems from insufficient input validation and output encoding in the Note Editor component (CWE-79). When note content is submitted, the application does not adequately sanitize HTML and JavaScript elements before storing them in the database. Similarly, when notes are rendered for display, the content is not properly encoded, allowing stored scripts to execute in the browser context.
Attack Vector
The attack is network-based and requires an authenticated user with note-adding permissions. The attacker crafts a note containing malicious JavaScript, which is then stored in the ChurchCRM database. When an administrator or another user views the malicious note, the JavaScript executes in their browser session.
The malicious script can perform actions such as stealing session cookies, performing actions on behalf of the victim, exfiltrating sensitive church member data, or escalating privileges by modifying user accounts. Since this is a stored XSS vulnerability, the attack persists and can affect multiple victims over time.
Detection Methods for CVE-2026-35574
Indicators of Compromise
- Unusual JavaScript patterns or <script> tags found within note content in the ChurchCRM database
- Unexpected outbound network connections from client browsers when viewing notes
- Session tokens appearing in HTTP referrer headers or being sent to external domains
- User reports of unexpected behavior when viewing specific notes
- Database entries containing encoded script tags (<script>) or event handlers (onerror, onload, onclick)
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XSS payloads in POST requests to note-related endpoints
- Deploy browser-based Content Security Policy (CSP) headers to restrict inline script execution
- Enable SentinelOne Singularity to monitor for suspicious browser behavior and script injection attempts
- Review application logs for unusual patterns in note creation activities
Monitoring Recommendations
- Monitor ChurchCRM database tables for notes containing suspicious HTML/JavaScript content
- Implement real-time alerting for note entries containing script tags or JavaScript event handlers
- Track user session anomalies that may indicate session hijacking
- Review access logs for administrators viewing notes followed by unusual account activities
How to Mitigate CVE-2026-35574
Immediate Actions Required
- Upgrade ChurchCRM to version 6.5.3 or later immediately
- Audit existing notes in the database for malicious JavaScript content
- Review user accounts with note-adding permissions and revoke unnecessary access
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
- Force session regeneration for all users after patching
Patch Information
The vulnerability is fixed in ChurchCRM version 6.5.3. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Temporarily restrict note-adding permissions to trusted administrators only until the patch is applied
- Implement a web application firewall (WAF) with XSS filtering rules in front of ChurchCRM
- Enable strict Content Security Policy headers to prevent inline script execution
- Manually sanitize existing note content in the database to remove any malicious scripts
- Consider placing ChurchCRM behind an authentication proxy with additional security controls
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or httpd.conf
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
