CVE-2026-35573

ChurchCRM has a Path traversal leads to RCE

Description

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3.

INFO

Published Date :

2026-04-07T17:06:07.161Z

Last Modified :

2026-04-08T18:49:46.996Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-35573 vulnerability.

Vendors	Products
Churchcrm	Churchcrm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35573.

URL	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact