CVE-2026-40484
Received Received - Intake
Remote Code Execution via Backup Restore in ChurchCRM

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 7.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves an authenticated administrator uploading a crafted backup archive containing a PHP webshell into the Images/ directory, which is then copied to a web-accessible location and executable via HTTP requests.

To detect this vulnerability on your system, you can check for unexpected PHP files in the web-accessible directories, especially within or under the Images/ directory.

  • Search for PHP files in the Images/ directory or its subdirectories: find /path/to/webroot/Images -type f -name '*.php'
  • Check web server access logs for suspicious HTTP requests to PHP files in the Images/ directory.
  • Verify the version of ChurchCRM installed; versions prior to 7.2.0 are vulnerable.

Note that exploitation requires authenticated administrator access, so monitoring for unusual administrator activity or CSRF attempts may also help.

Executive Summary

This vulnerability exists in ChurchCRM versions prior to 7.2.0 in the database backup restore functionality. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory. The restore process extracts and copies these files into a web-accessible directory without filtering file extensions, allowing the webshell to be placed in a publicly accessible path. Because the webshell is executable via HTTP requests, this leads to remote code execution as the web server user. Additionally, the restore endpoint lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator.

Impact Analysis

This vulnerability can have severe impacts including allowing an attacker with administrator access to execute arbitrary code on the web server remotely. This can lead to full compromise of the server, unauthorized access to sensitive data, modification or deletion of data, and potential further attacks on the network. The lack of CSRF protection increases the risk by allowing attackers to trick administrators into triggering the exploit.

Mitigation Strategies

To mitigate this vulnerability, upgrade ChurchCRM to version 7.2.0 or later, where the issue has been fixed.

Additionally, restrict access to the backup restore functionality to trusted administrators only and monitor for any suspicious file uploads or unexpected PHP files in the web-accessible directories.

Compliance Impact

This vulnerability allows an authenticated administrator to upload a malicious PHP webshell that can be executed remotely, leading to remote code execution on the web server. Such unauthorized access and control over the system can lead to compromise of sensitive data.

Because the vulnerability results in potential unauthorized access and control over data, it could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Additionally, the lack of CSRF token validation increases the risk of exploitation, further undermining security controls required by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart