{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40484", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-13T19:50:42.114Z", "datePublished": "2026-04-17T23:25:06.319Z", "dateUpdated": "2026-04-20T14:56:29.684Z"}, "containers": {"cna": {"title": "ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx"}, {"name": "https://github.com/ChurchCRM/CRM/pull/8610", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/pull/8610"}, {"name": "https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39", "tags": ["x_refsource_MISC"], "url": "https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 7.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:25:06.319Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0."}], "source": {"advisory": "GHSA-2932-77f9-62fx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:45:34.816821Z", "id": "CVE-2026-40484", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:29.684Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40484", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-20T14:45:34.816821Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:45:35.906Z"}}], "cna": {"title": "ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function", "source": {"advisory": "GHSA-2932-77f9-62fx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 7.2.0"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/8610", "name": "https://github.com/ChurchCRM/CRM/pull/8610", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39", "name": "https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:25:06.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40484", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:29.684Z", "dateReserved": "2026-04-13T19:50:42.114Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T23:25:06.319Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0."}], "id": "CVE-2026-40484", "lastModified": "2026-04-20T18:59:46.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:39.387", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/commit/68be1d12bc4cc1429575ae797ef05efe47030d39"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/pull/8610"}, {"source": "security-advisories@github.com", "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2932-77f9-62fx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.2.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-18T08:47:52.658133+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.2.0 or later, where the restore functionality now enforces file type validation and requires CSRF tokens.", "If an upgrade is not immediately possible, temporarily disable the database restore endpoint or restrict upload access so that only non\u2011executable image files can be processed.", "Enable or enforce CSRF protection on all administrative actions to prevent unauthenticated suicide of administrator privileges."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all ChurchCRM Community Edition installations running any version prior to 7.2.0. The affected product is the ChurchCRM web application, version 7.1.x and earlier.", "description_and_impact": "An authenticated administrator can exploit ChurchCRM\u2019s database restore feature to upload a specially crafted backup archive containing a PHP file. The restoration process copies the archive\u2019s Images/ directory into the web\u2011accessible document root without filtering file extensions, enabling a PHP web shell to be written and later executed by the web server. The flaw also lacks CSRF protection, allowing attackers to trigger the exploit via a forged request. This combination of unrestricted file write and elevation to the web server\u2019s execution context leads to remote code execution and full compromise under the web server\u2019s user privileges. The weakness is reflected by CWE\u2011434 (Unrestricted Upload of File with Dangerous Type), CWE\u2011552 (Unrestricted File Transfer) and CWE\u2011269 (Improper Privilege Management).", "risk_and_exploitability": "The issue carries a CVSS base score of 9.1, indicating critical severity. No EPSS score is available, and it is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to have access to an authenticated administrator account, but CSRF can be used to abuse that privilege without the admin\u2019s direct interaction. Once executed, the attacker gains arbitrary code execution on the host as the web server user, allowing full system compromise, data exfiltration, and persistence."}}}}, "created": "2026-04-18T09:00:05.891932+00:00", "updated": "2026-04-20T14:59:13.155814+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}