CVE-2026-40484

CRITICAL 9.1

ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.

CWE	CWE-269 CWE-434 CWE-552
Vendor	churchcrm
Product	crm
Published	Apr 17, 2026

Stay Ahead of the Next One

Get instant alerts for churchcrm crm

Be the first to know when new critical vulnerabilities affecting churchcrm crm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

ChurchCRM / CRM

< 7.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx github.com: https://github.com/ChurchCRM/CRM/pull/8610 github.com: https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39