平台
php
组件
churchcrm
修复版本
7.2.1
CVE-2026-40581 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting ChurchCRM versions prior to 7.2.0. This flaw allows an attacker to trigger the irreversible deletion of family records and all associated data within the ChurchCRM system. Authenticated administrators are at risk, and the vulnerability has been addressed in version 7.2.0.
The impact of this CSRF vulnerability is significant due to the irreversible nature of the data deletion. An attacker could craft a malicious webpage that, when visited by an authenticated ChurchCRM administrator, would silently trigger the deletion of targeted family records. This includes associated notes, pledges, persons, and property data, effectively wiping critical information from the church's database. The lack of user interaction makes this attack particularly stealthy, as the administrator may be unaware that data has been compromised. Successful exploitation could lead to significant disruption of church operations and potential loss of sensitive member information.
CVE-2026-40581 was published on 2026-04-17. There is no indication of this vulnerability being actively exploited in the wild. It is not currently listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit.
漏洞利用状态
EPSS
0.01% (0% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40581 is to upgrade ChurchCRM to version 7.2.0 or later, which includes the necessary CSRF protection. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the SelectDelete.php endpoint that lack a valid CSRF token. Alternatively, restrict access to this endpoint to trusted networks or users. Carefully review ChurchCRM's configuration to ensure that administrator accounts are secured with strong passwords and multi-factor authentication to reduce the risk of account compromise.
将 ChurchCRM 更新到 7.2.0 或更高版本以缓解 CSRF 漏洞。此更新在家庭记录删除端点中实现了 CSRF 令牌验证,从而防止攻击者静默删除数据。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40581 is a Cross-Site Request Forgery (CSRF) vulnerability in ChurchCRM versions before 7.2.0, allowing attackers to delete family records without user interaction.
You are affected if you are using ChurchCRM versions 0.0.0 through 7.1.9. Upgrade to 7.2.0 to resolve the issue.
Upgrade ChurchCRM to version 7.2.0 or later. As a temporary workaround, implement a WAF rule to protect the SelectDelete.php endpoint.
There is currently no evidence of CVE-2026-40581 being actively exploited in the wild.
Refer to the ChurchCRM security advisories page for the latest information: [https://www.churchcrm.org/security](https://www.churchcrm.org/security)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。