CVE-2026-40581

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.2.0

Description The family record deletion endpoint 'SelectDelete.php' performs permanent and irreversible deletion of family records and all associated data, including notes, pledges, persons, and property data. This process is triggered via a plain GET request and lacks Cross-Site Request Forgery (CSRF) token validation. A CSRF attack occurs when a malicious website causes a user's web browser to perform an unwanted action on a different website where the user is currently authenticated. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers the deletion of targeted records without user interaction.

Recommendations Update to version 7.2.0.