SB2026040989 - Multiple vulnerabilities in ChurchCRM

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2026-35578)

The vulnerability allows a remote user to redirect users to an arbitrary external website.

The vulnerability exists due to url redirection to untrusted site in DonatedItemEditor.php when handling the user-supplied linkBack URL parameter. A remote user can craft a malicious link to redirect users to an arbitrary external website.

User interaction is required to click the Cancel button, and the victim must be authenticated to the application.

2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2026-35576)

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of other users.

The vulnerability exists due to cross-site scripting in the Person Property Management subsystem when processing dynamically assigned property values. A remote user can submit a specially crafted property value to execute arbitrary JavaScript in the context of other users.

User interaction is required when another user views the affected person profile or accesses the printable view.

Remediation

Install update from vendor's website.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r36-fvxj-26qv
• https://github.com/advisories/GHSA-8r36-fvxj-26qv