Open Redirect in Churchcrm Crm

CVE-2026-39940

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an…

Vulnerability class: Open Redirect

EPSS: 0.000 (4.1th percentile) — read the EPSS interpretation.

Affected products

Churchcrm Crm — versions < 7.0.0

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5g52-rvjf-6wwf (x_refsource_CONFIRM)
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47 (x_refsource_MISC)