CVE-2026-39940: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in ChurchCRM CRM
ChurchCRM versions prior to 7. 0. 0 contain an open redirect vulnerability (CWE-601) that allows an authenticated user to be redirected to an attacker-chosen URL when clicking the 'Cancel' button on certain pages. This issue affects multiple locations in the application where the 'linkBack' parameter is used, with DonatedItemEditor. php as a noted example. The vulnerability has a medium severity rating with a CVSS score of 5. 3. It is fixed in version 7. 0. 0 of ChurchCRM.
AI Analysis
Technical Summary
CVE-2026-39940 is an open redirect vulnerability in ChurchCRM CRM versions before 7.0.0. The vulnerability arises because the application allows the creation of links that redirect authenticated users to arbitrary URLs when they click the 'Cancel' button on affected pages. This behavior is linked to the 'linkBack' parameter used in multiple places, exemplified by DonatedItemEditor.php. The vulnerability is resolved in ChurchCRM version 7.0.0.
Potential Impact
An attacker can craft a URL that, when visited by an authenticated ChurchCRM user, causes the user to be redirected to a potentially malicious external site. This could facilitate phishing or other social engineering attacks by exploiting user trust in the legitimate application. There is no indication of privilege escalation or direct data compromise from this vulnerability alone.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.0.0. Users and administrators should upgrade to version 7.0.0 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade from the official ChurchCRM release notes or repository. No additional mitigation is indicated.
CVE-2026-39940: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in ChurchCRM CRM
Description
ChurchCRM versions prior to 7. 0. 0 contain an open redirect vulnerability (CWE-601) that allows an authenticated user to be redirected to an attacker-chosen URL when clicking the 'Cancel' button on certain pages. This issue affects multiple locations in the application where the 'linkBack' parameter is used, with DonatedItemEditor. php as a noted example. The vulnerability has a medium severity rating with a CVSS score of 5. 3. It is fixed in version 7. 0. 0 of ChurchCRM.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-39940 is an open redirect vulnerability in ChurchCRM CRM versions before 7.0.0. The vulnerability arises because the application allows the creation of links that redirect authenticated users to arbitrary URLs when they click the 'Cancel' button on affected pages. This behavior is linked to the 'linkBack' parameter used in multiple places, exemplified by DonatedItemEditor.php. The vulnerability is resolved in ChurchCRM version 7.0.0.
Potential Impact
An attacker can craft a URL that, when visited by an authenticated ChurchCRM user, causes the user to be redirected to a potentially malicious external site. This could facilitate phishing or other social engineering attacks by exploiting user trust in the legitimate application. There is no indication of privilege escalation or direct data compromise from this vulnerability alone.
Mitigation Recommendations
This vulnerability is fixed in ChurchCRM version 7.0.0. Users and administrators should upgrade to version 7.0.0 or later to remediate this issue. Since no official patch link or advisory is provided, verify the upgrade from the official ChurchCRM release notes or repository. No additional mitigation is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T22:40:33.820Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd1e0282d89c981f1b771a
Added to database: 4/13/2026, 4:46:58 PM
Last enriched: 4/13/2026, 5:02:26 PM
Last updated: 4/13/2026, 7:05:47 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.