{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35573", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T17:06:07.161Z", "dateUpdated": "2026-04-08T18:49:46.996Z"}, "containers": {"cna": {"title": "ChurchCRM has a Path traversal leads to RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 6.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:06:07.161Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3."}], "source": {"advisory": "GHSA-r6cr-mvr9-f6wx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:49:42.771781Z", "id": "CVE-2026-35573", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:49:46.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35573", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:49:42.771781Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:49:36.855Z"}}], "cna": {"title": "ChurchCRM has a Path traversal leads to RCE", "source": {"advisory": "GHSA-r6cr-mvr9-f6wx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 6.5.3"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:06:07.161Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35573", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:49:46.996Z", "dateReserved": "2026-04-03T20:09:02.827Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:06:07.161Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3."}], "id": "CVE-2026-35573", "lastModified": "2026-04-10T20:59:20.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:41.760", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.3)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T23:36:48.891882+00:00", "value": {"mitigation_remediation": ["Apply the official ChurchCRM update to version 6.5.3 or later.", "Restrict the backup restore feature to trusted administrators only, or disable it if not needed.", "Ensure the temporary directory (/var/www/html/tmp_attach/ChurchCRMBackups/) has permissions that prevent public web access.", "Monitor the temporary directory for unexpected or suspicious file uploads and contains alerts for policy violations."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Path Traversal"}, "threat_synthesis": {"affected_systems": "ChurchCRM installations running any version prior to 6.5.3 are affected. The vulnerability resides in src/ChurchCRM/Backup/RestoreJob.php and is present regardless of whether the system is running on Linux, Windows, or other operating systems, although the specific server environment is not detailed in the advisory.", "description_and_impact": "A flaw in ChurchCRM\u2019s backup restore feature allows an authenticated administrator to upload files with arbitrary names. The uploaded file is written to the temporary directory /var/www/html/tmp_attach/ChurchCRMBackups/. By choosing a malicious filename such as a crafted .htaccess file, the attacker can alter Apache configuration and execute arbitrary code, completely compromising the host. The weakness is a classic path traversal (CWE\u201122) combined with unsafe file upload (CWE\u2011434).", "risk_and_exploitability": "The CVSS score of 9.1 indicates a severe threat. The EPSS score is below 1%, suggesting that, so far, exploitation attempts have been rare, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated administrator access; an attacker who obtains or compromises such credentials can upload the malicious file and trigger execution through the altered .htaccess. The impact includes loss of confidentiality, integrity, and availability, potentially leading to full system takeover. Operating\u2011system\u2011specific details are not provided, so any potential mitigations based on OS cannot be evaluated from the available data."}}}}, "created": "2026-04-08T19:47:30.908267+00:00", "updated": "2026-04-13T14:26:43.767285+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}