CVE-2026-40581 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 18, 2026
ChurchCRM - Cross Site Request Forgery
Overview
ChurchCRM < 7.2.0 contains a cross site request forgery caused by lack of CSRF token validation in family record deletion endpoint, letting attackers cause irreversible deletion of family data via crafted GET requests, exploit requires authenticated administrator.
Severity & Score
Impact
Authenticated attackers can delete family records and associated data, causing permanent data loss and disruption.
Mitigation
Update to version 7.2.0 or later.
References
Social Media Activity(2 posts)
š CVE-2026-40581 - High (8.1) ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request wi... š https://www.thehackerwire.com/vulnerability/CVE-2026-40581/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40581 - High (8.1) ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request wi... š https://www.thehackerwire.com/vulnerability/CVE-2026-40581/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40581
- Severity
- High
- CVSS Score
- 8.1
- Type
- cross_site_request_forgery
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H