CVE-2026-35574
Stored XSS in ChurchCRM Note Editor Enables Session Hijacking
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions up to 6.5.2, specifically in the Note Editor functionality. Authenticated users with permission to add notes can inject arbitrary JavaScript code into note fields because the application does not properly sanitize or encode input and output. This malicious code is stored in the database and executed in the browsers of other users, including administrators, when they view the affected notes.
The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Exploitation involves inserting crafted payloads, such as base64-encoded JavaScript embedded in image tags, which execute when the note is rendered.
How can this vulnerability impact me? :
This vulnerability can lead to session hijacking, allowing attackers to take over user sessions.
It can cause privilege escalation, enabling low-privilege users to gain administrator access.
Attackers can gain unauthorized access to sensitive church member data, including confidential information and financial or donation records.
It can result in account takeover and potential malware distribution.
Overall, it compromises data confidentiality and integrity, leading to reputational damage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can cause violations of regulatory compliance requirements such as GDPR and CCPA by enabling unauthorized disclosure of confidential information.
The unauthorized access and potential data breaches resulting from this vulnerability undermine data protection obligations mandated by these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads in the Note Editor fields of ChurchCRM profiles. Since exploitation involves authenticated users with note-adding permissions injecting crafted scripts, reviewing notes for suspicious HTML or JavaScript code is essential.
One approach is to query the database for notes containing suspicious tags such as <img> tags with onerror attributes or base64-encoded scripts.
Example SQL command to find notes with potential XSS payloads:
- SELECT * FROM notes WHERE note_content LIKE '%<img%onerror=%';
Additionally, monitoring HTTP traffic for unusual script loads or unexpected JavaScript execution in user browsers can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 6.5.3 or later, where the vulnerability has been fixed by implementing proper input sanitization and output encoding in the Note Editor.
Until the upgrade is applied, restrict note-adding permissions to trusted users only to reduce the risk of malicious script injection.
Additionally, review and sanitize existing notes to remove any suspicious or malicious scripts.
Implement monitoring for unusual user behavior and potential signs of session hijacking or privilege escalation.