Plattform
php
Komponente
churchcrm-crm
Behoben in
7.2.1
CVE-2026-40484 describes a Remote Code Execution (RCE) vulnerability within ChurchCRM, an open-source church management system. This flaw allows an authenticated administrator to upload a crafted backup archive, resulting in the execution of arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.2.0, and a patch is available in version 7.2.0.
The impact of this vulnerability is severe. An attacker, posing as an authenticated administrator, can upload a crafted backup archive containing a PHP webshell. This webshell is then written to a publicly accessible directory within the web server's document root. Subsequently, the attacker can execute arbitrary code on the server via HTTP requests, effectively gaining remote control. This could lead to data theft, modification, or deletion, as well as the installation of malware or further exploitation of the network. The ability to execute code as the web server user grants significant privileges, potentially enabling lateral movement within the organization’s infrastructure.
This vulnerability was publicly disclosed on April 17, 2026. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. The vulnerability’s exploitation pattern resembles other file upload vulnerabilities leading to remote code execution, increasing the likelihood of exploitation attempts. Its inclusion in the KEV catalog is pending.
Churches and organizations using ChurchCRM versions 0.0.0 through 7.2.0 are at risk, particularly those with publicly accessible 'Images/' directories and inadequate file upload controls. Shared hosting environments where multiple ChurchCRM instances reside are also at increased risk due to potential cross-site contamination.
• wordpress / composer / npm:
grep -r 'recursiveCopyDirectory' /var/www/churchcrm/• generic web:
curl -I http://your-churchcrm-site.com/Images/webshell.php | grep 'Content-Type:'disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade ChurchCRM to version 7.2.0 or later, which addresses this vulnerability. If upgrading is not immediately feasible, consider restricting file upload permissions for the 'Images/' directory to prevent the placement of malicious files. Implement a Web Application Firewall (WAF) with rules to detect and block the upload of archives containing PHP code within the 'Images/' directory. Monitor web server access logs for suspicious activity, particularly requests targeting files within the 'Images/' directory. After upgrade, confirm the fix by attempting a backup and restore operation with a benign archive to ensure the vulnerability is no longer exploitable.
Actualice ChurchCRM a la versión 7.2.0 o posterior para mitigar la vulnerabilidad. Esta versión corrige la falta de validación de extensiones de archivo y la ausencia de protección CSRF en la función de restauración de la base de datos, previniendo la ejecución remota de código.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40484 is a critical Remote Code Execution vulnerability in ChurchCRM versions 0.0.0 through 7.2.0. An authenticated admin can upload a malicious backup archive, leading to code execution.
If you are using ChurchCRM versions 0.0.0 through 7.2.0, you are potentially affected. Check your version and upgrade immediately if vulnerable.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, restrict file upload permissions for the 'Images/' directory and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.