CVE-2026-39940
Received Received - Intake
Open Redirect in ChurchCRM DonatedItemEditor Component

Publication date: 2026-04-13

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39940
EUVD
EUVD-2026-22011
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
churchcrm churchcrm to 7.0.0 (exc)
churchcrm crm to 7.0.5 (inc)
churchcrm crm 7.1.0
churchcrm crm to 7.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ChurchCRM, an open-source church management system, in versions prior to 7.0.0. It allows an attacker to create a link that, when visited by an authenticated user, causes the user to be redirected to any URL chosen by the attacker if the user clicks the 'Cancel' button on certain pages. The example given is the DonatedItemEditor.php page, but the issue affects all instances where the 'linkBack' parameter is used.

Impact Analysis

The vulnerability can lead to an attacker redirecting authenticated users to malicious websites. This could result in phishing attacks, malware distribution, or other malicious activities by exploiting the trust users have in the ChurchCRM application.

Mitigation Strategies

To mitigate this vulnerability, upgrade ChurchCRM to version 7.0.0 or later, where the issue has been fixed.

Additionally, review all instances of the 'linkBack' parameter in the application to ensure they do not allow open redirects.

Compliance Impact

The provided information does not specify any direct impact of this open redirect vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the 'linkBack' URL parameter in the ChurchCRM/CRM web application, which can be manipulated to redirect authenticated users to arbitrary external URLs. To detect this vulnerability on your system, you can monitor and analyze HTTP requests to the application for suspicious or unexpected 'linkBack' parameter values.

One approach is to capture and inspect web traffic targeting the ChurchCRM application, looking specifically for URLs containing the 'linkBack' parameter with external or untrusted domains.

Suggested commands for detection include using command-line tools like curl or wget to test the behavior of the application with crafted 'linkBack' parameters, and using network traffic analysis tools like tcpdump or Wireshark to monitor live traffic.

  • Use curl to test redirection behavior: curl -I 'http://your-churchcrm-instance/DonatedItemEditor.php?linkBack=http://malicious.example.com'
  • Use tcpdump to capture HTTP traffic on port 80 or 443: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'linkBack='
  • Use grep or similar tools on web server logs to find requests with 'linkBack' parameters pointing to external URLs.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart