CVE-2026-35573

ChurchCRM has a Path traversal leads to RCE

Assigner: GitHub_M
Reserved: 03.04.2026 Published: 07.04.2026 Updated: 07.04.2026

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	ChurchCRM
Product	CRM
Versions	Version < 6.5.3 is affected

Vendor

ChurchCRM

Product

CRM

Versions

Version < 6.5.3 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-434: Unrestricted Upload of File with Dangerous Type CWE

CVE-2026-35573 PUBLISHED

ChurchCRM has a Path traversal leads to RCE

Metrics

Product Status

References

Problem Types