CVE-2026-35573

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM, an open-source church management system, contains a path traversal flaw in its backup restore functionality. Authenticated administrators can exploit this to upload arbitrary files and potentially achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability resides in the RestoreJob.php file within the src/ChurchCRM/Backup/RestoreJob.php path. The $rawUploadedFile['name'] parameter is user-controlled, enabling the upload of files with arbitrary names to the /var/www/html/tmp attach/ChurchCRMBackups/ directory.

Recommendations Update ChurchCRM to version 6.5.3 or later.