Cyber Resilience

CVE-2026-40484

Critical

Published: 18 April 2026

Published
18 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0087 54.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40484 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40484 affects ChurchCRM, an open-source church management system, in versions prior to 7.2.0. The vulnerability resides in the database backup restore functionality, which extracts contents from an uploaded archive and uses the recursiveCopyDirectory() function to copy files from the Images/ directory into the web-accessible document root without any file extension filtering. This improper handling allows malicious files to be placed in executable locations.

An authenticated administrator can exploit this by uploading a crafted backup archive containing a PHP webshell within the Images/ directory, resulting in the webshell being written to a publicly accessible path and executable via HTTP requests, achieving remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling cross-site request forgery attacks that target an authenticated administrator to trigger the exploitation without their direct interaction. The CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects the high impact, with associated CWEs including 269 (Improper Privilege Management), 434 (Unrestricted Upload of File with Dangerous Type), and 552 (Files or Directories Accessible to External Parties).

The issue has been addressed in ChurchCRM version 7.2.0, as detailed in the project's GitHub security advisory (GHSA-2932-77f9-62fx), pull request #8610, and commit 68be1d12bc4cc1429575ae797ef05efe47030d39, which presumably introduce file filtering and CSRF protections to the restore functionality. Security practitioners should upgrade to 7.2.0 or later and review access to administrative restore features.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension…

more

filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability in the ChurchCRM web application's backup restore function directly enables exploitation of a public-facing application (T1190) by allowing an authenticated admin to upload a crafted archive that deploys a PHP web shell (T1505.003) into the web root for RCE, due to lack of file filtering and CSRF protection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33071Shared CWE-434, CWE-552
CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates uploaded backup archives and extracted file contents to block dangerous file types like PHP webshells from being placed in executable web directories.

prevent

Controls and validates content prior to placement on publicly accessible web systems, preventing execution of malicious files copied to the document root.

prevent

Enforces communications session authenticity with CSRF protections to block unauthorized exploitation of the restore endpoint by targeting authenticated administrators.

References