Remote Code Execution Vulnerability in ChurchCRM by ChurchCRM
CVE-2026-40484

9.1CRITICAL

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40484?

ChurchCRM, an open-source church management tool, has a vulnerability in its database backup restore functionality. This flaw allows an authenticated administrator to upload a malicious backup archive containing a PHP webshell, which is then extracted to a publicly accessible directory without proper file type checks. Consequently, this results in remote code execution as the web server user. Additionally, the restore endpoint lacks CSRF token validation, making it susceptible to cross-site request forgery attacks targeting authenticated users. This issue has been resolved in version 7.2.0.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8610
x_refsource_MISC
https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.