CVE-2026-44548

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2

Description Top-level cross-site GET navigation from an attacker-controlled page to the endpoints "FundRaiserDelete.php", "PropertyTypeDelete.php", or "NoteDelete.php" allows a logged-in user with the appropriate role to silently delete records. This includes the deletion of cascaded property and record-to-property assignments.

Recommendations Update to version 7.3.2.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-650CWE-352

Related Identifiers

CVE-2026-44548

Affected Products

Churchcrm

CVE-2026-44548

Weakness Enumeration

Related Identifiers

Affected Products

References · 5