EUVD-2026-19726

| CVE-2026-35578 MEDIUM

2026-04-07 GitHub_M

5.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 07, 2026 - 16:30 euvd

EUVD-2026-19726

Analysis Generated

Apr 07, 2026 - 16:30 vuln.today

CVE Published

Apr 07, 2026 - 15:53 nvd

MEDIUM 5.3

Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.

Analysis

Open redirect vulnerability in ChurchCRM prior to version 7.0.0 allows authenticated users to be redirected to arbitrary URLs via crafted links containing unvalidated redirect parameters, particularly through the 'linkBack' parameter used across multiple application pages including DonatedItemEditor.php. An attacker can create a malicious link that redirects authenticated users to external sites when they interact with UI elements, enabling phishing attacks and credential theft. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +26

POC: 0

EUVD-2026-19726 vulnerability details – vuln.today

Back

EUVD-2026-19726

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-19726

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code