CVE-2026-44548 – ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php)

CVE ID :CVE-2026-44548

Published : May 12, 2026, 11:16 p.m. | 1 hour, 41 minutes ago

Description :ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8336 – Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands

CVE-2026-8201 – Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields

CVE-2026-8200 – Schema validation log messages may not redact user data

CVE-2026-8199 – Post-auth memory exhaustion via bitwise match expressions