CVE-2026-39940
Open Redirect in ChurchCRM DonatedItemEditor Component
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 7.0.0 (exc) |
| churchcrm | crm | to 7.0.5 (inc) |
| churchcrm | crm | 7.1.0 |
| churchcrm | crm | to 7.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ChurchCRM, an open-source church management system, in versions prior to 7.0.0. It allows an attacker to create a link that, when visited by an authenticated user, causes the user to be redirected to any URL chosen by the attacker if the user clicks the 'Cancel' button on certain pages. The example given is the DonatedItemEditor.php page, but the issue affects all instances where the 'linkBack' parameter is used.
How can this vulnerability impact me? :
The vulnerability can lead to an attacker redirecting authenticated users to malicious websites. This could result in phishing attacks, malware distribution, or other malicious activities by exploiting the trust users have in the ChurchCRM application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade ChurchCRM to version 7.0.0 or later, where the issue has been fixed.
Additionally, review all instances of the 'linkBack' parameter in the application to ensure they do not allow open redirects.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this open redirect vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the 'linkBack' URL parameter in the ChurchCRM/CRM web application, which can be manipulated to redirect authenticated users to arbitrary external URLs. To detect this vulnerability on your system, you can monitor and analyze HTTP requests to the application for suspicious or unexpected 'linkBack' parameter values.
One approach is to capture and inspect web traffic targeting the ChurchCRM application, looking specifically for URLs containing the 'linkBack' parameter with external or untrusted domains.
Suggested commands for detection include using command-line tools like curl or wget to test the behavior of the application with crafted 'linkBack' parameters, and using network traffic analysis tools like tcpdump or Wireshark to monitor live traffic.
- Use curl to test redirection behavior: curl -I 'http://your-churchcrm-instance/DonatedItemEditor.php?linkBack=http://malicious.example.com'
- Use tcpdump to capture HTTP traffic on port 80 or 443: sudo tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'linkBack='
- Use grep or similar tools on web server logs to find requests with 'linkBack' parameters pointing to external URLs.