Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
ChurchCRM deletes family records permanently without asking
CVE-2026-40581
Summary
Administrators can delete family records and associated data without warning. This can cause loss of important information about church members and their relationships. Update to version 7.2.0 to fix this issue.
Original title
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records ...
Original description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.
nvd CVSS3.1
8.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
CWE-862
Missing Authorization
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026