Main Vulnerability Database Vulnerabilities #VU129699

Open redirect in ChurchCRM - CVE-2026-39940

Published: May 5, 2026

Vulnerability identifier: #VU129699

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39940

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote attacker to redirect users to an untrusted site.

The vulnerability exists due to url redirection to untrusted site in the linkBack URL parameter when handling requests that use the parameter for redirection. A remote attacker can supply a crafted linkBack value to redirect users to an untrusted site.

How to mitigate CVE-2026-39940

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5g52-rvjf-6wwf
https://github.com/advisories/GHSA-5g52-rvjf-6wwf

Open redirect in ChurchCRM - CVE-2026-39940

Detailed vulnerability description

How to mitigate CVE-2026-39940

Sources

Please verify you're human