1. Home
  2. CVE Database
  3. CVE-2026-39940
NONE · 0

CVE-2026-39940

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, woul...

Vulnerability Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.

Related Weaknesses (CWE)

CWE-601

References

FAQ

What is CVE-2026-39940?

CVE-2026-39940 is a documented vulnerability. ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, woul...

How severe is CVE-2026-39940?

CVSS scoring is not yet available for CVE-2026-39940. Check NVD for updates.

Is there a patch for CVE-2026-39940?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.