SSRF in Churchcrm Crm

CVE-2026-35572

ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently mak…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (20.2th percentile) — read the EPSS interpretation.