CVE-2026-44548

Summary

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

Affected Software

VendorProductVersion RangeStatus
ChurchCRMCRM< 7.3.2affected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery (CSRF)
  • CWE-650: CWE-650: Trusting HTTP Permission Methods on the Server Side

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References