Platform
php
Component
churchcrm-crm
Fixed in
7.2.1
CVE-2026-40484 describes a Remote Code Execution (RCE) vulnerability within ChurchCRM, an open-source church management system. This flaw allows an authenticated administrator to upload a crafted backup archive, resulting in the execution of arbitrary code on the server. The vulnerability impacts versions 0.0.0 through 7.2.0, and a patch is available in version 7.2.0.
An attacker exploiting this vulnerability can achieve remote code execution as the web server user. This means they can potentially gain full control over the ChurchCRM server, including access to sensitive data such as church member information, financial records, and internal communications. The attacker could install malware, modify website content, or use the server as a launchpad for further attacks against other systems on the network. The recursiveCopyDirectory() function's lack of file extension filtering is the root cause, allowing malicious PHP files to be placed in a publicly accessible directory.
This vulnerability was publicly disclosed on 2026-04-17. While no active exploitation campaigns have been confirmed, the ease of exploitation and the critical severity of the vulnerability make it a high-priority target. The vulnerability shares similarities with other file upload vulnerabilities where insufficient file extension filtering leads to code execution. Its presence on the NVD is pending.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade ChurchCRM to version 7.2.0 or later, which contains the fix. If upgrading is not immediately feasible, consider restricting file upload permissions for the 'Images/' directory to prevent the upload of executable files. Implement a Web Application Firewall (WAF) with rules to block the upload of archives containing PHP files within the 'Images/' directory. Regularly review and audit ChurchCRM configurations to ensure adherence to security best practices.
Update ChurchCRM to version 7.2.0 or later to mitigate the vulnerability. This version corrects the lack of file extension validation and the absence of CSRF protection in the database restore function, preventing remote code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40484 is a critical Remote Code Execution vulnerability in ChurchCRM versions 0.0.0 through 7.2.0. An authenticated admin can upload a malicious backup archive, leading to code execution.
If you are using ChurchCRM versions 0.0.0 through 7.2.0, you are potentially affected. Check your version and upgrade immediately if vulnerable.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, restrict file upload permissions for the 'Images/' directory and implement WAF rules.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.