CVE-2026-35575 Overview
ChurchCRM, an open-source church management system, contains a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel's group-creation feature. Prior to version 6.5.3, any user with group-creation privileges can inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator's session cookies, potentially leading to full administrative account takeover.
Critical Impact
Successful exploitation allows attackers with limited privileges to escalate to full administrative access by stealing session cookies when an administrator views the malicious group entry.
Affected Products
- ChurchCRM versions prior to 6.5.3
- ChurchCRM installations with group-creation features enabled
- All deployments where non-administrative users have group-creation privileges
Discovery Timeline
- April 7, 2026 - CVE-2026-35575 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35575
Vulnerability Analysis
This Stored XSS vulnerability exists in the group-creation feature of ChurchCRM's admin panel. When users with group-creation privileges submit group information, the application fails to properly sanitize or encode user-supplied input before storing it in the database and subsequently rendering it on administrative pages.
The attack requires network access and low privileges (group-creation rights), but does require user interaction from an administrator who must view the page containing the malicious payload. Once triggered, the injected JavaScript executes in the context of the administrator's browser session, granting the attacker access to sensitive session data including authentication cookies.
Root Cause
The vulnerability stems from insufficient input validation and output encoding in the group-creation workflow. When group data is saved to the database, malicious script content is accepted without sanitization. When this data is later rendered on administrative pages, the application fails to properly escape special characters, allowing the stored JavaScript to execute in the victim's browser context (CWE-79: Improper Neutralization of Input During Web Page Generation).
Attack Vector
The attack leverages network-accessible functionality within ChurchCRM. An attacker with group-creation privileges crafts a malicious group entry containing JavaScript payload in one of the input fields. When an administrator navigates to view groups or the specific malicious entry, the stored script executes in their browser session.
The malicious JavaScript can then access the administrator's session cookies and exfiltrate them to an attacker-controlled server. With valid session cookies, the attacker can impersonate the administrator and gain full control over the ChurchCRM installation, including access to sensitive congregation data, financial records, and system configuration.
Detection Methods for CVE-2026-35575
Indicators of Compromise
- Unusual JavaScript patterns in group name or description fields within the ChurchCRM database
- Outbound network requests from administrator browsers to unexpected external domains
- Session cookies being transmitted to unauthorized endpoints
- Unexpected administrative actions occurring without legitimate administrator login
- Audit log entries showing administrative operations from unusual IP addresses or during off-hours
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in form submissions
- Monitor database content for suspicious script tags or JavaScript event handlers in group-related tables
- Enable Content Security Policy (CSP) headers to detect and block inline script execution
- Review application logs for unusual group creation patterns or suspicious input content
- Deploy browser-based security monitoring to detect cookie exfiltration attempts
Monitoring Recommendations
- Enable comprehensive logging for all group-creation and modification activities
- Implement real-time alerting for administrative session anomalies
- Monitor for multiple failed authentication attempts followed by successful logins with stolen sessions
- Track outbound connections from client browsers accessing administrative interfaces
- Regularly audit group entries for suspicious content patterns
How to Mitigate CVE-2026-35575
Immediate Actions Required
- Upgrade ChurchCRM to version 6.5.3 or later immediately
- Audit existing group entries in the database for malicious JavaScript content
- Invalidate all active administrative sessions and force password resets
- Review audit logs for signs of exploitation or unauthorized administrative access
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
Patch Information
The vulnerability has been addressed in ChurchCRM version 6.5.3. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Temporarily restrict group-creation privileges to trusted administrators only until the patch is applied
- Implement a Web Application Firewall (WAF) with XSS detection rules in front of ChurchCRM
- Deploy Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution
- Enable HttpOnly and Secure flags on session cookies to limit the impact of cookie theft
- Consider placing ChurchCRM behind a VPN or IP whitelist to reduce the attack surface
# Example Apache configuration to add security headers
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
