CVE-2026-40484 - Vulnerability Details

- ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function

Description

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.

Published: 2026-04-17

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated administrator can exploit ChurchCRM’s database restore feature to upload a specially crafted backup archive containing a PHP file. The restoration process copies the archive’s Images/ directory into the web‑accessible document root without filtering file extensions, enabling a PHP web shell to be written and later executed by the web server. The flaw also lacks CSRF protection, allowing attackers to trigger the exploit via a forged request. This combination of unrestricted file write and elevation to the web server’s execution context leads to remote code execution and full compromise under the web server’s user privileges. The weakness is reflected by CWE‑434 (Unrestricted Upload of File with Dangerous Type), CWE‑552 (Unrestricted File Transfer) and CWE‑269 (Improper Privilege Management).

Affected Systems

The vulnerability exists in all ChurchCRM Community Edition installations running any version prior to 7.2.0. The affected product is the ChurchCRM web application, version 7.1.x and earlier.

Risk and Exploitability

The issue carries a CVSS base score of 9.1, indicating critical severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. Exploitation requires the attacker to have access to an authenticated administrator account, but CSRF can be used to abuse that privilege without the admin’s direct interaction. Once executed, the attacker gains arbitrary code execution on the host as the web server user, allowing full system compromise, data exfiltration, and persistence.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ChurchCRM

CRM

affected

Version	Status	Constraints
`< 7.2.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ChurchCRM to version 7.2.0 or later, where the restore functionality now enforces file type validation and requires CSRF tokens.
If an upgrade is not immediately possible, temporarily disable the database restore endpoint or restrict upload access so that only non‑executable image files can be processed.
Enable or enforce CSRF protection on all administrative actions to prevent unauthenticated suicide of administrator privileges.

Generated by OpenCVE AI on April 18, 2026 at 08:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39
https://github.com/ChurchCRM/CRM/pull/8610
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx

History

Fri, 17 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
Title		ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function
Weaknesses		CWE-269 CWE-434 CWE-552
References		https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39 https://github.com/ChurchCRM/CRM/pull/8610 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T23:25:06.319Z

Updated: 2026-04-17T23:25:06.319Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40484

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-18T00:16:39.387

Modified: 2026-04-18T00:16:39.387

Link: CVE-2026-40484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object