CVE-2026-35574 Overview
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Note Editor component of ChurchCRM, an open-source church management system. Authenticated users with note-adding permissions can inject arbitrary JavaScript that executes in the browsers of other users, including administrators. Successful exploitation enables session hijacking, privilege escalation, and unauthorized access to sensitive church member data. The flaw affects all ChurchCRM versions prior to 6.5.3 and is resolved in release 6.5.3.
Critical Impact
Stored JavaScript executes in administrator sessions, enabling account takeover and exposure of member records.
Affected Products
- ChurchCRM versions prior to 6.5.3
- Component: Note Editor module
- Fixed release: ChurchCRM 6.5.3
Discovery Timeline
- 2026-04-07 - CVE-2026-35574 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-35574
Vulnerability Analysis
The vulnerability resides in ChurchCRM's Note Editor, which accepts user-supplied content and stores it for later rendering. The application fails to sanitize or encode HTML and JavaScript payloads before persisting the note and serving it back to viewers. When another user, including an administrator, opens the affected record, the injected script executes within the authenticated session context. This grants the attacker the privileges of the victim.
Because the payload is stored server-side, exploitation does not require crafted URLs or social engineering. Any user with permission to view the note becomes a target. The scope change reflected in the CVSS vector (S:C) indicates that script execution crosses trust boundaries within the application.
Root Cause
The root cause is missing output encoding and insufficient input validation on note content. User input is rendered as HTML without neutralizing script tags, event handlers, or JavaScript URIs. This is a classic stored XSS pattern categorized under [CWE-79].
Attack Vector
An authenticated user with note-adding permissions submits a note containing malicious JavaScript. The payload persists in the database. When a privileged user views the note, the browser executes the script. The attacker can exfiltrate session cookies, perform actions on behalf of the victim, modify configuration, or extract member records through the application's authenticated endpoints.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-cx82-8xrh-7f5c for additional technical context.
Detection Methods for CVE-2026-35574
Indicators of Compromise
- Note records containing <script>, onerror=, onload=, or javascript: strings stored in the ChurchCRM database.
- Outbound HTTP requests from administrator browsers to unfamiliar domains shortly after viewing a note.
- Unexpected session activity such as new admin accounts or modified user permissions following note views.
Detection Strategies
- Audit the ChurchCRM notes table for HTML or JavaScript syntax in stored content fields.
- Inspect web server access logs for POST requests to note creation endpoints followed by GET requests from privileged accounts.
- Enable Content Security Policy (CSP) violation reporting to capture inline script execution attempts.
Monitoring Recommendations
- Monitor authentication logs for session anomalies such as concurrent logins or impossible-travel events for administrator accounts.
- Track changes to user roles and permissions, which are common post-exploitation actions for XSS-driven privilege escalation.
- Alert on unusual data export volume from member record endpoints.
How to Mitigate CVE-2026-35574
Immediate Actions Required
- Upgrade ChurchCRM to version 6.5.3 or later without delay.
- Review all existing notes for previously injected malicious payloads and remove them.
- Force a password reset and session invalidation for administrator accounts that may have viewed untrusted notes.
Patch Information
ChurchCRM resolved this vulnerability in version 6.5.3. The fix introduces proper output encoding for note content. Patch details are published in the ChurchCRM GitHub Security Advisory GHSA-cx82-8xrh-7f5c.
Workarounds
- Restrict note-adding permissions to a minimal set of fully trusted users until the upgrade is applied.
- Deploy a web application firewall rule to block requests containing common XSS payloads targeting note endpoints.
- Implement a strict Content Security Policy that disallows inline scripts and untrusted script sources.
# Example CSP header to mitigate inline script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
