Home / Vulnerability Intelligence / CVE-2026-44548

CVE-2026-44548 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 13, 2026

ChurchCRM - Cross-Site Request Forgery

Published: May 12, 2026Updated: May 13, 2026Remote Exploitable

Overview

ChurchCRM < 7.3.2 contains a cross-site request forgery caused by top-level cross-site GET navigation to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php, letting attackers cause logged-in users with relevant roles to silently delete records.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can cause deletion of records by tricking logged-in users with relevant roles, leading to data loss and integrity issues.

Mitigation

Update to version 7.3.2 or later.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-jx5r-p82p-2p8m

Related Resources

Details

CVE ID: CVE-2026-44548
Severity: High
CVSS Score: 8.1
Type: cross_site_request_forgery
Status: rejected

CWE

CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H