CVE-2026-39940

Vulnerability Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.

Vulnerability Details

Published Date

April 13, 2026

Last Modified

April 13, 2026

CWE ID

CWE-601

Source

NVD

Vendor

ChurchCRM

Product

CRM

External References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5g52-rvjf-6wwf
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47

CVE-2026-39940

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment