—

CVE-2026-35578EXPLOITEDPATCHED

churchcrm · crm

ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

Description

A vulnerability marked as problematic has been reported in ChurchCRM up to 6.x. This issue affects some unknown processing of the file DonatedItemEditor.php. Performing a manipulation results in open redirect. The attack can be initiated remotely.

Affected Products

Vendor	Product	Versions
churchcrm	crm	< 7.0.0

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-35578 | ChurchCRM up to 6.x DonatedItemEditor.php redirect

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

7.0.0

CWECWE-601

PublishedApr 7, 2026

Last enriched3h agov2

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39330EXP

ChurchCRM has a Blind SQL injection in PropertyAssign.php

Trending: 63

CRITICALCVE-2026-39334EXP

ChurchCRM has a Blind SQL injection in SettingsIndividual.php

Trending: 63

HIGHCVE-2026-39327EXP

ChurchCRM has a SQL injection in MemberRoleChange.php

Trending: 60

HIGHCVE-2026-39341EXP

SQL injection in ChurchCRM.0

Trending: 60

HIGHCVE-2026-39323EXP

ChurchCRM has a SQL Injection in PropertyTypeEditor.php with Cross-Page Data Exposure

Trending: 60

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 7, 2026

Discovered by ZDM

Apr 7, 2026

Actively Exploited

Apr 7, 2026

Patch Available

Apr 7, 2026

Updated: description, severity, activelyExploited, patchAvailable

Apr 7, 2026

Version History

Last enriched 3h ago

v2Tier C3h ago

Updated description with new details, changed severity to HIGH, and noted that the vulnerability is actively exploited.

descriptionseverityactivelyExploitedpatchAvailable

via VulDB

v14h ago

Initial creation