Plattform
php
Komponente
churchcrm
Behoben in
7.2.1
CVE-2026-40581 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting ChurchCRM versions prior to 7.2.0. This flaw allows an attacker to trigger the irreversible deletion of family records and all associated data within the ChurchCRM system. Authenticated administrators are at risk, and the vulnerability has been addressed in version 7.2.0.
The impact of this CSRF vulnerability is significant due to the irreversible nature of the data deletion. An attacker could craft a malicious webpage that, when visited by an authenticated ChurchCRM administrator, would silently trigger the deletion of targeted family records. This includes associated notes, pledges, persons, and property data, effectively wiping critical information from the church's database. The lack of user interaction makes this attack particularly stealthy, as the administrator may be unaware that data has been compromised. Successful exploitation could lead to significant disruption of church operations and potential loss of sensitive member information.
CVE-2026-40581 was published on 2026-04-17. There is no indication of this vulnerability being actively exploited in the wild. It is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit.
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40581 is to upgrade ChurchCRM to version 7.2.0 or later, which includes the necessary CSRF protection. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the SelectDelete.php endpoint that lack a valid CSRF token. Alternatively, restrict access to this endpoint to trusted networks or users. Carefully review ChurchCRM's configuration to ensure that administrator accounts are secured with strong passwords and multi-factor authentication to reduce the risk of account compromise.
Aktualisieren Sie ChurchCRM auf Version 7.2.0 oder höher, um die CSRF-Schwachstelle zu beheben. Dieses Update implementiert die CSRF-Token-Validierung am Familienregister-Lösch-Endpunkt und verhindert so die stille Datenlöschung durch Angreifer.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40581 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM versions before 7.2.0, allowing attackers to delete family records without user interaction.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.1.9. Upgrade to 7.2.0 to resolve the issue.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, implement a WAF rule to protect the SelectDelete.php endpoint.
There is currently no evidence of CVE-2026-40581 being actively exploited in the wild.
Refer to the ChurchCRM security advisories page for the latest information: [https://www.churchcrm.org/security](https://www.churchcrm.org/security)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.