2 matches found
CVE-2026-39940
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...
CVE-2026-39940
ChurchCRM prior to 7.0.0 exposes an open redirect via the linkBack URL parameter in DonatedItemEditor.php, allowing an authenticated user to be redirected to an attacker‑controlled URL when clicking Cancel. This affects versions before 7.0.0; the issue is fixed in 7.0.0. The CVSS metrics indicate...