{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35575", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T17:08:43.354Z", "dateUpdated": "2026-04-07T18:35:14.962Z"}, "containers": {"cna": {"title": "ChurchCRM has Stored XSS in Group Name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1004", "lang": "en", "description": "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 6.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:08:43.354Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel\u2019s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator\u2019s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3."}], "source": {"advisory": "GHSA-gc8q-2gw7-qj7w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:35:07.315321Z", "id": "CVE-2026-35575", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:35:14.962Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel\u2019s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator\u2019s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5.3."}], "id": "CVE-2026-35575", "lastModified": "2026-04-09T18:47:25.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:42.077", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-1004"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.3)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-09T21:08:04.700831+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 6.5.3 or later, where the stored XSS issue is fixed.", "Restrict the ability to create groups to trusted administrators only.", "Enforce input validation or sanitization on the group name field in the admin panel.", "Ensure session cookies are transmitted over HTTPS and are marked as Secure and HttpOnly."], "summary": {"action": "Immediate Patch", "impact": "Administrative Account Compromise"}, "threat_synthesis": {"affected_systems": "All ChurchCRM releases prior to 6.5.3 are affected. The vulnerability resides in the admin interface\u2019s group\u2011creation feature and requires that the attacker has permissions to create groups.", "description_and_impact": "The CVE describes a stored cross\u2011site scripting flaw in the group\u2011creation form of ChurchCRM\u2019s admin panel. An attacker who can create a group can embed malicious JavaScript into the group name field. When an administrator later views the page containing the stored data, the script executes in the administrator\u2019s browser under their credentials. The injected code can capture the administrator\u2019s session cookie, enabling a full administrative account takeover.", "risk_and_exploitability": "The CVSS score of 8.0 signals high severity, while the EPSS score of less than 1% indicates a low expected exploitation frequency. The flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker attain group\u2011creation privileges, after which the insertion of malicious code is straightforward and the attack vector is local to the administrative interface. Successful exploitation would compromise administrative privileges, allowing the attacker to read and modify sensitive data and potentially launch further attacks within the system."}}}}, "created": "2026-04-08T19:47:27.849378+00:00", "updated": "2026-04-10T09:41:25.212340+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}