CVE-2026-35573Churchcrm · Churchcrm
Vulnerability data via NVD (ingested)
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/html/tmp_attach/ChurchCRMBackups/. This vulnerability is fixed in 6.5.3.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-35573product:"Churchcrm Churchcrm"http.html:"Churchcrm"More intel sources (5)
vuln:CVE-2026-35573vulnerabilities.cve_id: CVE-2026-35573CVE-2026-35573CVE-2026-35573"CVE-2026-35573" exploit -site:nvd.nist.gov