CVE-2026-35572

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3

Description ChurchCRM, an open-source church management system, is susceptible to Server-Side Request Forgery (SSRF). By providing a specially crafted URL within the Referer request header, an attacker can initiate HTTP/HTTPS requests to arbitrary hosts. The server then makes an outbound request to a domain controlled by the attacker, as confirmed by Outbound Asset Scanning Testing (OAST).

Recommendations Update to version 6.5.3 or later.