NVD Vulnerability Detail
Search Exploit, PoC
CVE-2026-44548
Summary

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments. This vulnerability is fixed in 7.3.2.

Publication Date May 13, 2026, 8:16 a.m.
Registration Date May 15, 2026, 4:19 a.m.
Last Update May 14, 2026, 1:16 a.m.
CVSS3.1 : HIGH
スコア 8.1
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR) 不要
利用者の関与(UI)
影響の想定範囲(S) 変更なし
機密性への影響(C) なし
完全性への影響(I)
可用性への影響(A)
Related information, measures and tools
Common Vulnerabilities List