Description
This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Published: 2026-04-07
Score: n/a
EPSS: n/a
KEV: No
Impact: Open Redirect via linkBack URL parameter
Action: Patch Upgrade
AI Analysis

Impact

The flaw allows an authenticated user to be redirected to an arbitrary URL when clicking a cancel button on pages such as DonatedItemEditor.php. By manipulating the unsanitised linkBack parameter, an attacker can craft links that, when followed by a logged‑in user, send them to malicious or phishing destinations. While the vulnerability does not provide direct code execution or data theft, it increases the risk of credential theft or other social‑engineering attacks targeting church staff and members.

Affected Systems

ChurchCRM, the open‑source church management system, is affected in all releases before version 7.0.0. The issue exists wherever the linkBack parameter is used, including the DonatedItemEditor component and similar pages.

Risk and Exploitability

The scoring indicates moderate severity. Exploitation requires an authenticated user session; the attacker merely supplies a malicious URL through the linkBack parameter, which is then executed when the user interacts with the cancel action. The attack is straightforward and could be leveraged in phishing campaigns against church staff or congregants.

Generated by OpenCVE AI on April 7, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.0.0 or later, which fixes the open‑redirect flaw.
  • Remove or neutralise the unused linkBack parameter in application workflows.
  • Verify that no other pages expose the same parameter pattern before deployment.
  • Implement monitoring to detect unexpected redirects originating from trusted users.

Generated by OpenCVE AI on April 7, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Mon, 13 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Title ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0. This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

 cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.
Title ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T16:35:54.049Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35578

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-07T17:16:33.133

Modified: 2026-04-13T17:16:28.780

Link: CVE-2026-35578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:09Z

Weaknesses

No weakness.