Main Vulnerability Database Vulnerabilities #VU129701

Server-Side Request Forgery (SSRF) in ChurchCRM - CVE-2026-35572

Published: May 5, 2026

Vulnerability identifier: #VU129701

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35572

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: ChurchCRM

Affected software:
ChurchCRM

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and cause limited integrity and availability impacts.

The vulnerability exists due to server-side request forgery (SSRF) in DonationFundEditor.php when processing a crafted Referer header. A remote privileged user can send a specially crafted request with a full URL in the Referer header to disclose sensitive information and cause limited integrity and availability impacts.

The server issues an outbound HTTP or HTTPS request to the supplied host, and other endpoints may also be affected if they share the same middleware or logging path.

How to mitigate CVE-2026-35572

Install security update from vendor's website.

Sources

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq

Server-Side Request Forgery (SSRF) in ChurchCRM - CVE-2026-35572

Detailed vulnerability description

How to mitigate CVE-2026-35572

Sources

Please verify you're human