{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35572", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.826Z", "datePublished": "2026-04-07T17:07:57.506Z", "dateUpdated": "2026-04-07T19:59:43.438Z"}, "containers": {"cna": {"title": "SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq"}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"version": "< 6.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:07:57.506Z"}, "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, confirmed via OAST. This vulnerability is fixed in 6.5.3."}], "source": {"advisory": "GHSA-44x3-28jv-mrwq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T19:49:55.897672Z", "id": "CVE-2026-35572", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:59:43.438Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35572", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T19:49:55.897672Z"}}}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T19:50:59.787Z"}}], "cna": {"title": "SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts", "source": {"advisory": "GHSA-44x3-28jv-mrwq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ChurchCRM", "product": "CRM", "versions": [{"status": "affected", "version": "< 6.5.3"}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq", "name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, confirmed via OAST. This vulnerability is fixed in 6.5.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T17:07:57.506Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35572", "state": "PUBLISHED", "dateUpdated": "2026-04-07T19:59:43.438Z", "dateReserved": "2026-04-03T20:09:02.826Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T17:07:57.506Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, confirmed via OAST. This vulnerability is fixed in 6.5.3."}], "id": "CVE-2026-35572", "lastModified": "2026-04-10T20:58:52.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T18:16:41.610", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.3)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-10T22:44:12.552607+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 6.5.3 or later."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery via crafted Referer header"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in ChurchCRM project versions earlier than 6.5.3. The affected product is the ChurchCRM community edition. No specific sub\u2011versions are listed, so all releases prior to 6.5.3 are at risk.", "description_and_impact": "An attacker can send a request to the ChurchCRM application with a malicious Referer header that contains a URL. The CMS then performs an outbound HTTP or HTTPS request to the specified host. This server\u2011side request forgery (CWE\u2011918) may allow an adversary to access internal network services, exfiltrate sensitive data, or interact with any remote system reachable from the host running the application. The vulnerability demonstrates a clear threat to confidentiality, integrity, and potentially availability of the application and its underlying infrastructure.", "risk_and_exploitability": "The CVSS base score of 7.0 indicates high severity. The EPSS score is below 1%, implying exploit likelihood is low at present, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be via any HTTP request to the application because no authentication requirement is mentioned; thus anonymous users may trigger the SSRF by supplying a crafted Referer header. Exploitation requires only the ability to send a request to the target server and supply a malicious header, after which the application will perform the outbound call."}}}}, "created": "2026-04-08T19:47:29.897172+00:00", "updated": "2026-04-13T14:26:42.803777+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}