Can you explain this vulnerability to me?

CVE-2026-35573 is a critical vulnerability in ChurchCRM versions up to 6.5.2 that allows authenticated administrators to perform remote code execution. The issue arises from a path traversal flaw in the backup restore functionality, where user-supplied filenames are not properly sanitized. This allows an attacker to upload arbitrary files, including malicious .htaccess files, to a specific directory on the server.

By uploading a crafted .htaccess file, attackers can override Apache's PHP execution restrictions, enabling them to upload and execute PHP webshells. This leads to full control over the web server, allowing execution of arbitrary code.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated administrators to achieve remote code execution on the ChurchCRM server, leading to full server compromise and access to sensitive church data and financial records.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and financial information against unauthorized access and ensuring data integrity and availability.

Therefore, exploitation of this vulnerability could lead to violations of these common standards and regulations due to the exposure and potential misuse of protected data.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to complete compromise of the affected server. An attacker who authenticates as an administrator can execute arbitrary code with web server privileges, potentially gaining full control over the system.

• Access to sensitive church data and financial records.
• Ability to move laterally within the network, increasing the scope of the attack.
• Disruption of confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking for the presence of unauthorized or suspicious files in the directory /var/www/html/tmp_attach/ChurchCRMBackups/, especially files with names like .htaccess or PHP webshells uploaded by authenticated administrators.

You can also review web server logs for unusual HTTP requests that might indicate execution of uploaded PHP files.

• List files in the backup upload directory to find suspicious files: ls -la /var/www/html/tmp_attach/ChurchCRMBackups/
• Search for .htaccess files that could override Apache settings: find /var/www/html/tmp_attach/ChurchCRMBackups/ -name ".htaccess"
• Check for recently modified or created files in the directory: find /var/www/html/tmp_attach/ChurchCRMBackups/ -type f -mtime -7
• Review Apache access logs for suspicious PHP file executions: grep ".php" /var/log/apache2/access.log

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation is to upgrade ChurchCRM to version 6.5.3 or later, where this vulnerability is fixed.

Until the upgrade can be applied, restrict administrator access to the backup restore functionality to trusted users only.

Manually inspect and remove any unauthorized .htaccess files or PHP webshells from the /var/www/html/tmp_attach/ChurchCRMBackups/ directory.

Harden Apache configuration to prevent execution of PHP files in the backup upload directory by disabling overrides or PHP execution in that path.

Monitor logs for suspicious activity and consider temporarily disabling the backup restore feature if possible.

Useful 0 Not Useful 0