Cyber Posture

CVE-2026-35573

CriticalPublic PoC

Published: 07 April 2026

Published
07 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0034 56.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists…

more

in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates path traversal by requiring validation and error handling of the user-controlled $rawUploadedFile['name'] parameter in the backup restore function.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation by upgrading to ChurchCRM 6.5.3, which fixes the vulnerability in RestoreJob.php.

SI-9 Information Input Restrictions good match
prevent

Restricts file names in uploads to safe patterns without traversal characters like '../', preventing arbitrary file placement in the tmp_attach directory.

Security SummaryAI

CVE-2026-35573 is a path traversal vulnerability (CWE-22, CWE-434) in the backup restore functionality of ChurchCRM, an open-source church management system. Versions prior to 6.5.3 are affected, specifically in the src/ChurchCRM/Backup/RestoreJob.php component. The issue stems from the user-controlled $rawUploadedFile['name'] parameter, which allows authenticated administrators to upload files with arbitrary names to the /var/www/html/tmp_attach/ChurchCRMBackups/ directory. This can lead to remote code execution by overwriting Apache .htaccess configuration files. The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Authenticated administrators with high privileges can exploit this vulnerability remotely with low complexity and no user interaction required. By crafting a malicious backup file upload, attackers can traverse paths to place arbitrary files in sensitive locations, such as overwriting .htaccess files to enable code execution on the server. Successful exploitation grants high confidentiality, integrity, and availability impacts, with a changed scope due to the potential for server-wide effects.

The vulnerability is fixed in ChurchCRM version 6.5.3. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx.

Details

CWE(s)
CWE-22CWE-434

Affected Products

churchcrm
churchcrm
≤ 6.5.3

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing web app (ChurchCRM) backup restore allows authenticated admins to overwrite .htaccess for RCE, directly enabling exploitation of public-facing application (T1190) and exploitation for privilege escalation from admin to server-level access (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References