Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35574

CVE-2026-35574: ChurchCRM Stored XSS Vulnerability

CVE-2026-35574 is a stored Cross-Site Scripting vulnerability in ChurchCRM's Note Editor that enables authenticated users to execute malicious JavaScript in other users' browsers. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-35574 Overview

CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Note Editor component of ChurchCRM, an open-source church management system. Authenticated users with note-adding permissions can inject arbitrary JavaScript that executes in the browsers of other users, including administrators. Successful exploitation enables session hijacking, privilege escalation, and unauthorized access to sensitive church member data. The flaw affects all ChurchCRM versions prior to 6.5.3 and is resolved in release 6.5.3.

Critical Impact

Stored JavaScript executes in administrator sessions, enabling account takeover and exposure of member records.

Affected Products

  • ChurchCRM versions prior to 6.5.3
  • Component: Note Editor module
  • Fixed release: ChurchCRM 6.5.3

Discovery Timeline

  • 2026-04-07 - CVE-2026-35574 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-35574

Vulnerability Analysis

The vulnerability resides in ChurchCRM's Note Editor, which accepts user-supplied content and stores it for later rendering. The application fails to sanitize or encode HTML and JavaScript payloads before persisting the note and serving it back to viewers. When another user, including an administrator, opens the affected record, the injected script executes within the authenticated session context. This grants the attacker the privileges of the victim.

Because the payload is stored server-side, exploitation does not require crafted URLs or social engineering. Any user with permission to view the note becomes a target. The scope change reflected in the CVSS vector (S:C) indicates that script execution crosses trust boundaries within the application.

Root Cause

The root cause is missing output encoding and insufficient input validation on note content. User input is rendered as HTML without neutralizing script tags, event handlers, or JavaScript URIs. This is a classic stored XSS pattern categorized under [CWE-79].

Attack Vector

An authenticated user with note-adding permissions submits a note containing malicious JavaScript. The payload persists in the database. When a privileged user views the note, the browser executes the script. The attacker can exfiltrate session cookies, perform actions on behalf of the victim, modify configuration, or extract member records through the application's authenticated endpoints.

No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-cx82-8xrh-7f5c for additional technical context.

Detection Methods for CVE-2026-35574

Indicators of Compromise

  • Note records containing <script>, onerror=, onload=, or javascript: strings stored in the ChurchCRM database.
  • Outbound HTTP requests from administrator browsers to unfamiliar domains shortly after viewing a note.
  • Unexpected session activity such as new admin accounts or modified user permissions following note views.

Detection Strategies

  • Audit the ChurchCRM notes table for HTML or JavaScript syntax in stored content fields.
  • Inspect web server access logs for POST requests to note creation endpoints followed by GET requests from privileged accounts.
  • Enable Content Security Policy (CSP) violation reporting to capture inline script execution attempts.

Monitoring Recommendations

  • Monitor authentication logs for session anomalies such as concurrent logins or impossible-travel events for administrator accounts.
  • Track changes to user roles and permissions, which are common post-exploitation actions for XSS-driven privilege escalation.
  • Alert on unusual data export volume from member record endpoints.

How to Mitigate CVE-2026-35574

Immediate Actions Required

  • Upgrade ChurchCRM to version 6.5.3 or later without delay.
  • Review all existing notes for previously injected malicious payloads and remove them.
  • Force a password reset and session invalidation for administrator accounts that may have viewed untrusted notes.

Patch Information

ChurchCRM resolved this vulnerability in version 6.5.3. The fix introduces proper output encoding for note content. Patch details are published in the ChurchCRM GitHub Security Advisory GHSA-cx82-8xrh-7f5c.

Workarounds

  • Restrict note-adding permissions to a minimal set of fully trusted users until the upgrade is applied.
  • Deploy a web application firewall rule to block requests containing common XSS payloads targeting note endpoints.
  • Implement a strict Content Security Policy that disallows inline scripts and untrusted script sources.
bash
# Example CSP header to mitigate inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.