CVE-2026-40581

Published: Apr 18, 2026Modified: Apr 20, 2026Deferred

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: security-advisories@github.com (Secondary)

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (3)

https://github.com/ChurchCRM/CRM/commit/39361628613af7682b813f3e62a412559616d674

Source: security-advisories@github.com

https://github.com/ChurchCRM/CRM/pull/8613

Source: security-advisories@github.com

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-6qxv-xw9j-77pj

Source: security-advisories@github.com

Timeline

No history available yet.