CVE-2026-40484

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The database backup restore functionality extracts uploaded archive contents and copies files from the 'Images/' directory into the web-accessible document root using the recursiveCopyDirectory() function, which does not perform file extension filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell within the 'Images/' directory, allowing the file to be written to a publicly accessible path and executed via HTTP requests, leading to remote code execution as the web server user. Additionally, the restore endpoint lacks CSRF (Cross-Site Request Forgery) token validation, which allows the attack to be triggered via a cross-site request targeting an authenticated administrator.

Recommendations Update to version 7.2.0.