Executive Summary

CVE-2026-35575 is a Stored Cross-Site Scripting (Stored XSS) vulnerability in the ChurchCRM application, specifically in the admin panel's group-creation feature. Users with group-creation privileges can inject malicious JavaScript code into the group name field. This malicious script executes automatically when an administrator views the affected page.

Because the administrator's session cookies lack the HttpOnly flag, the injected script can steal these cookies. An attacker can then use the stolen cookies to take over the administrator's account, gaining full administrative control.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privilege users to escalate their privileges to full administrative access by stealing administrator session cookies. This can lead to unauthorized access to sensitive administrative information and the ability to modify or delete data.

• Compromise of confidentiality: attackers can access all administrative data.
• Compromise of integrity: attackers can modify all data within the system.
• Compromise of availability: attackers can disrupt user accounts and services, for example by changing other users' passwords.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to steal administrator session cookies and gain full administrative control, compromising confidentiality, integrity, and availability of sensitive data within the ChurchCRM system.

Such a compromise could lead to unauthorized access to personal and sensitive information managed by the system, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal data against unauthorized access and ensuring system integrity.

Specifically, the ability to escalate privileges and modify or access all administrative data increases the risk of data breaches, which must be reported under these regulations and could result in legal and financial penalties.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for malicious JavaScript code injected into the group names within the admin panel of ChurchCRM versions up to 6.5.2. Specifically, look for suspicious scripts in the group-creation feature that execute when an administrator views the page.

Since the exploit involves stealing administrator session cookies due to missing HttpOnly flags, monitoring HTTP traffic for unusual requests or outgoing connections to attacker-controlled domains after an admin views group pages can help detect exploitation.

Suggested commands include using web application scanning tools or manual inspection of the group names in the database for embedded JavaScript code. For example, querying the database for group names containing script tags or suspicious payloads.

• SQL query example to find suspicious group names: SELECT * FROM groups WHERE group_name LIKE '%<script>%';
• Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP traffic and filter for unusual outbound requests after admin panel access.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 6.5.3 or later, where this Stored XSS vulnerability in the group-creation feature has been fixed.

Until the upgrade can be applied, restrict group-creation privileges to trusted users only, as the vulnerability requires group-creation privileges to exploit.

Additionally, monitor and sanitize any existing group names in the system to remove any malicious scripts.

Consider implementing security best practices such as setting the HttpOnly flag on session cookies to prevent JavaScript access.

Useful 0 Not Useful 0