Main Vulnerability Database Vulnerabilities #VU125692

Open redirect in ChurchCRM - CVE-2026-35578

Published: April 9, 2026

Vulnerability identifier: #VU125692

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35578

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to redirect users to an arbitrary external website.

The vulnerability exists due to url redirection to untrusted site in DonatedItemEditor.php when handling the user-supplied linkBack URL parameter. A remote user can craft a malicious link to redirect users to an arbitrary external website.

User interaction is required to click the Cancel button, and the victim must be authenticated to the application.

How to mitigate CVE-2026-35578

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47

Open redirect in ChurchCRM - CVE-2026-35578

Detailed vulnerability description

How to mitigate CVE-2026-35578

Sources

Please verify you're human