Plataforma
php
Componente
churchcrm
Corrigido em
7.2.1
CVE-2026-40581 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting ChurchCRM versions prior to 7.2.0. This flaw allows an attacker to trigger the irreversible deletion of family records and all associated data within the ChurchCRM system. Authenticated administrators are at risk, and the vulnerability has been addressed in version 7.2.0.
The impact of this CSRF vulnerability is significant due to the irreversible nature of the data deletion. An attacker could craft a malicious webpage that, when visited by an authenticated ChurchCRM administrator, would silently trigger the deletion of targeted family records. This includes associated notes, pledges, persons, and property data, effectively wiping critical information from the church's database. The lack of user interaction makes this attack particularly stealthy, as the administrator may be unaware that data has been compromised. Successful exploitation could lead to significant disruption of church operations and potential loss of sensitive member information.
CVE-2026-40581 was published on 2026-04-17. There is no indication of this vulnerability being actively exploited in the wild. It is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit.
Status do Exploit
EPSS
0.01% (percentil 0%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-40581 is to upgrade ChurchCRM to version 7.2.0 or later, which includes the necessary CSRF protection. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the SelectDelete.php endpoint that lack a valid CSRF token. Alternatively, restrict access to this endpoint to trusted networks or users. Carefully review ChurchCRM's configuration to ensure that administrator accounts are secured with strong passwords and multi-factor authentication to reduce the risk of account compromise.
Atualize ChurchCRM para a versão 7.2.0 ou posterior para mitigar a vulnerabilidade de CSRF. Esta atualização implementa a validação de tokens CSRF no endpoint de exclusão de registros familiares, prevenindo a exclusão silenciosa de dados por parte de atacantes.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-40581 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM versions before 7.2.0, allowing attackers to delete family records without user interaction.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.1.9. Upgrade to 7.2.0 to resolve the issue.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, implement a WAF rule to protect the SelectDelete.php endpoint.
There is currently no evidence of CVE-2026-40581 being actively exploited in the wild.
Refer to the ChurchCRM security advisories page for the latest information: [https://www.churchcrm.org/security](https://www.churchcrm.org/security)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.