—

CVE-2026-35578EXPLOITEDPATCHED

churchcrm · crm

ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

Description

A vulnerability marked as problematic has been reported in ChurchCRM up to 6.x. This issue affects some unknown processing of the file DonatedItemEditor.php. Performing a manipulation results in open redirect. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
churchcrm	crm	< 7.0.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-35578 | ChurchCRM up to 6.x DonatedItemEditor.php redirect

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

7.0.0

CWECWE-601

PublishedApr 7, 2026

Last enriched6h agov2

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39330EXP

ChurchCRM has a Blind SQL injection in PropertyAssign.php

Trending: 62

CRITICALCVE-2026-39334EXP

ChurchCRM has a Blind SQL injection in SettingsIndividual.php

Trending: 62

HIGHCVE-2026-39327EXP

ChurchCRM has a SQL injection in MemberRoleChange.php

Trending: 59

HIGHCVE-2026-39326EXP

ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php

Trending: 59

HIGHCVE-2026-39329EXP

ChurchCRM has a Blind SQL injection in EventNames.php

Trending: 59

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Actively Exploited

Apr 7, 2026

Patch Available

Apr 7, 2026

Updated: description, severity, activelyExploited, patchAvailable

Apr 7, 2026

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated description with new details, changed severity to HIGH, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploitedpatchAvailable

via VulDB

v16h ago

Initial creation