CVE-2026-39940 MEDIUM

CVE-2026-39940: ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

Vendor Churchcrm

Product CRM

Weakness CWE-601 · Open redirect

Published April 13, 2026

Last update April 16, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.

Key dates

Disclosure timeline

April 13, 2026 CVE published

April 16, 2026 Record updated