Improper Input Validation in ChurchCRM Leading to Data Loss
CVE-2026-40581

8.1HIGH

Key Information:

Vendor

Churchcrm

Status
Crm
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40581?

ChurchCRM, an open-source church management system, contains a significant vulnerability involving the family record deletion endpoint (SelectDelete.php). Versions prior to 7.2.0 are affected, as the endpoint permits permanent and irreversible deletion of family records via a simple GET request without validating CSRF tokens. This oversight enables an attacker to create a malicious webpage. If an authenticated administrator inadvertently visits this page, it can lead to the silent deletion of targeted family records, along with any associated notes, pledges, persons, and property data, all without any interaction from the user. Fortunately, this vulnerability has been addressed and resolved in version 7.2.0.

Affected Version(s)

CRM < 7.2.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8613
x_refsource_MISC
https://github.com/ChurchCRM/CRM/commit/39361628613af7682...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.