Main Vulnerability Database Vulnerabilities #VU125692

#VU125692 Open redirect in ChurchCRM - CVE-2026-35578

Published: April 9, 2026

Vulnerability identifier: #VU125692

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35578

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
ChurchCRM

Software vendor:
ChurchCRM

Description

The vulnerability allows a remote user to redirect users to an arbitrary external website.

The vulnerability exists due to url redirection to untrusted site in DonatedItemEditor.php when handling the user-supplied linkBack URL parameter. A remote user can craft a malicious link to redirect users to an arbitrary external website.

User interaction is required to click the Cancel button, and the victim must be authenticated to the application.

Remediation

Install security update from vendor's website.

External links

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47

#VU125692 Open redirect in ChurchCRM - CVE-2026-35578

Description

Remediation

External links

Please verify you're human