プラットフォーム
php
コンポーネント
churchcrm
修正版
7.2.1
CVE-2026-40581 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting ChurchCRM versions prior to 7.2.0. This flaw allows an attacker to trigger the irreversible deletion of family records and all associated data within the ChurchCRM system. Authenticated administrators are at risk, and the vulnerability has been addressed in version 7.2.0.
The impact of this CSRF vulnerability is significant due to the irreversible nature of the data deletion. An attacker could craft a malicious webpage that, when visited by an authenticated ChurchCRM administrator, would silently trigger the deletion of targeted family records. This includes associated notes, pledges, persons, and property data, effectively wiping critical information from the church's database. The lack of user interaction makes this attack particularly stealthy, as the administrator may be unaware that data has been compromised. Successful exploitation could lead to significant disruption of church operations and potential loss of sensitive member information.
CVE-2026-40581 was published on 2026-04-17. There is no indication of this vulnerability being actively exploited in the wild. It is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit.
エクスプロイト状況
EPSS
0.01% (0% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-40581 is to upgrade ChurchCRM to version 7.2.0 or later, which includes the necessary CSRF protection. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the SelectDelete.php endpoint that lack a valid CSRF token. Alternatively, restrict access to this endpoint to trusted networks or users. Carefully review ChurchCRM's configuration to ensure that administrator accounts are secured with strong passwords and multi-factor authentication to reduce the risk of account compromise.
CSRF の脆弱性を軽減するために、ChurchCRM を 7.2.0 以降のバージョンにアップデートしてください。このアップデートでは、家族レコード削除のエンドポイントで CSRF トークン検証が実装され、攻撃者によるサイレントなデータ削除を防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-40581 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM versions before 7.2.0, allowing attackers to delete family records without user interaction.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.1.9. Upgrade to 7.2.0 to resolve the issue.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, implement a WAF rule to protect the SelectDelete.php endpoint.
There is currently no evidence of CVE-2026-40581 being actively exploited in the wild.
Refer to the ChurchCRM security advisories page for the latest information: [https://www.churchcrm.org/security](https://www.churchcrm.org/security)
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。