CVE-2026-35574
Received Received - Intake
Stored XSS in ChurchCRM Note Editor Enables Session Hijacking

Publication date: 2026-04-07

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-35574
EUVD
EUVD-2026-19772
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions up to 6.5.2, specifically in the Note Editor functionality. Authenticated users with permission to add notes can inject arbitrary JavaScript code into note fields because the application does not properly sanitize or encode input and output. This malicious code is stored in the database and executed in the browsers of other users, including administrators, when they view the affected notes.

The vulnerability arises from improper neutralization of input during web page generation (CWE-79). Exploitation involves inserting crafted payloads, such as base64-encoded JavaScript embedded in image tags, which execute when the note is rendered.

Impact Analysis

This vulnerability can lead to session hijacking, allowing attackers to take over user sessions.

It can cause privilege escalation, enabling low-privilege users to gain administrator access.

Attackers can gain unauthorized access to sensitive church member data, including confidential information and financial or donation records.

It can result in account takeover and potential malware distribution.

Overall, it compromises data confidentiality and integrity, leading to reputational damage.

Compliance Impact

This vulnerability can cause violations of regulatory compliance requirements such as GDPR and CCPA by enabling unauthorized disclosure of confidential information.

The unauthorized access and potential data breaches resulting from this vulnerability undermine data protection obligations mandated by these standards.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads in the Note Editor fields of ChurchCRM profiles. Since exploitation involves authenticated users with note-adding permissions injecting crafted scripts, reviewing notes for suspicious HTML or JavaScript code is essential.

One approach is to query the database for notes containing suspicious tags such as <img> tags with onerror attributes or base64-encoded scripts.

Example SQL command to find notes with potential XSS payloads:

  • SELECT * FROM notes WHERE note_content LIKE '%<img%onerror=%';

Additionally, monitoring HTTP traffic for unusual script loads or unexpected JavaScript execution in user browsers can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 6.5.3 or later, where the vulnerability has been fixed by implementing proper input sanitization and output encoding in the Note Editor.

Until the upgrade is applied, restrict note-adding permissions to trusted users only to reduce the risk of malicious script injection.

Additionally, review and sanitize existing notes to remove any suspicious or malicious scripts.

Implement monitoring for unusual user behavior and potential signs of session hijacking or privilege escalation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35574. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart