Skip to main content

PHP CVE-2026-40581

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-18 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 19:07 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

AnalysisAI

Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.

Technical ContextAI

ChurchCRM is a PHP-based open-source church management system. The vulnerability stems from CWE-352 (Cross-Site Request Forgery), a classic state-changing operation performed via GET request without anti-CSRF tokens. The SelectDelete.php endpoint accepts deletion commands through URL parameters alone, violating secure coding practices that mandate POST requests and unpredictable tokens for destructive operations. When a browser loads a resource (image tag, iframe, script) pointing to the vulnerable endpoint with crafted parameters, it automatically sends the administrator's session cookies, causing the server to authenticate and execute the deletion. This architectural flaw is common in legacy PHP applications predating widespread CSRF protection frameworks. The CVSS vector AV:N/AC:L/PR:N/UI:R indicates network-accessible exploitation with low complexity, requiring no authentication from the attacker (PR:N) but requiring user interaction (UI:R) - the victim admin must visit the malicious page while authenticated to ChurchCRM.

Affected ProductsAI

ChurchCRM versions prior to 7.2.0 are affected. ChurchCRM is a PHP-based church management system distributed via GitHub at ChurchCRM/CRM. The vulnerability exists in the SelectDelete.php endpoint responsible for family record deletion. The vendor advisory is available at https://github.com/ChurchCRM/CRM/security/advisories/GHSA-6qxv-xw9j-77pj with technical details in pull request #8613.

RemediationAI

Upgrade to ChurchCRM version 7.2.0 or later, which implements CSRF token validation for the SelectDelete.php endpoint per commit 39361628613af7682b813f3e62a412559616d674 and pull request #8613 (https://github.com/ChurchCRM/CRM/pull/8613). For organizations unable to immediately upgrade, implement compensating controls: configure web application firewall (WAF) rules to block GET requests to SelectDelete.php (may break legitimate admin workflows if the application UI uses GET for deletion links), educate administrators to never click external links while logged into ChurchCRM (reduces social engineering success but relies on user behavior), or implement network-level restrictions allowing ChurchCRM access only from trusted IP ranges (limits exposure but impacts remote administration). Note that blocking GET requests will likely require application-level changes to use POST, making upgrade the only complete remediation. Review audit logs for suspicious deletion activity in family records between initial deployment and patching, though legitimate administrative deletions may be indistinguishable from CSRF-triggered ones without correlation to user activity timestamps.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-40581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy