CVE-2026-39940

| EUVD-2026-22011 MEDIUM
2026-04-13 GitHub_M
Open Redirect PHP
5.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
patch_available
Apr 16, 2026 - 05:29 EUVD
7.0.0
Analysis Generated
Apr 15, 2026 - 12:47 vuln.today

DescriptionNVD

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.

AnalysisAI

Open redirect vulnerability in ChurchCRM prior to 7.0.0 allows authenticated users to be redirected to arbitrary URLs via malicious 'linkBack' parameters across multiple application pages, including DonatedItemEditor.php. An attacker can craft a link embedding an attacker-controlled URL that executes when a victim clicks the 'Cancel' button, enabling phishing and credential harvesting attacks. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-39940 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy