Stored XSS Vulnerability in ChurchCRM Affects User Data Security
CVE-2026-35574

7.3HIGH

Key Information:

Vendor: Churchcrm
Status: Crm
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35574?

A stored Cross-Site Scripting (XSS) vulnerability has been identified in ChurchCRM's Note Editor, impacting all versions prior to 6.5.3. This vulnerability allows authenticated users with note-adding permissions to inject and execute arbitrary JavaScript code in the browsers of other users, including administrators. As a result, this poses significant risks, including session hijacking, privilege escalation, and unauthorized access to sensitive information belonging to church members. The issue has been addressed in version 6.5.3, highlighting the importance of keeping software up-to-date to mitigate security risks.

Affected Version(s)

CRM < 6.5.3

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35574 Data

JSON

Churchcrm

What is CVE-2026-35574?

Affected Version(s)

References

CVSS V3.1

Timeline