CVE-2026-40581HIGH 8.1EPSS p9.8%

CVE-2026-40581CVE-2026-40581

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS0.20% probability of exploitation · percentile 9.8% · 2026-06-19T12:03:05Z
Published2026-04-18
Last modified2026-04-20

Underlying weaknesses· 2

CWE-352CWE-862

References

  1. https://github.com/ChurchCRM/CRM/commit/39361628613af7682b813f3e62a412559616d674
  2. https://github.com/ChurchCRM/CRM/pull/8613
  3. https://github.com/ChurchCRM/CRM/security/advisories/GHSA-6qxv-xw9j-77pj

2

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44548
CVE
CVE-2026-39331
CVE
CVE-2026-42289
CVE
CVE-2026-39318
CVE
CVE-2026-40484
CVE
CVE-2026-39341
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.