CVE-2026-40484
Published: 18 April 2026
Summary
CVE-2026-40484 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates uploaded backup archives and extracted file contents to block dangerous file types like PHP webshells from being placed in executable web directories.
Controls and validates content prior to placement on publicly accessible web systems, preventing execution of malicious files copied to the document root.
Enforces communications session authenticity with CSRF protections to block unauthorized exploitation of the restore endpoint by targeting authenticated administrators.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the ChurchCRM web application's backup restore function directly enables exploitation of a public-facing application (T1190) by allowing an authenticated admin to upload a crafted archive that deploys a PHP web shell (T1505.003) into the web root for RCE, due to lack of file filtering and CSRF protection.
NVD Description
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension…
more
filtering. An authenticated administrator can upload a crafted backup archive containing a PHP webshell inside the Images/ directory, which is then written to a publicly accessible path and executable via HTTP requests, resulting in remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling exploitation through cross-site request forgery targeting an authenticated administrator. This issue has been fixed in version 7.2.0.
Deeper analysisAI
CVE-2026-40484 affects ChurchCRM, an open-source church management system, in versions prior to 7.2.0. The vulnerability resides in the database backup restore functionality, which extracts contents from an uploaded archive and uses the recursiveCopyDirectory() function to copy files from the Images/ directory into the web-accessible document root without any file extension filtering. This improper handling allows malicious files to be placed in executable locations.
An authenticated administrator can exploit this by uploading a crafted backup archive containing a PHP webshell within the Images/ directory, resulting in the webshell being written to a publicly accessible path and executable via HTTP requests, achieving remote code execution as the web server user. The restore endpoint also lacks CSRF token validation, enabling cross-site request forgery attacks that target an authenticated administrator to trigger the exploitation without their direct interaction. The CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) reflects the high impact, with associated CWEs including 269 (Improper Privilege Management), 434 (Unrestricted Upload of File with Dangerous Type), and 552 (Files or Directories Accessible to External Parties).
The issue has been addressed in ChurchCRM version 7.2.0, as detailed in the project's GitHub security advisory (GHSA-2932-77f9-62fx), pull request #8610, and commit 68be1d12bc4cc1429575ae797ef05efe47030d39, which presumably introduce file filtering and CSRF protections to the restore functionality. Security practitioners should upgrade to 7.2.0 or later and review access to administrative restore features.
Details
- CWE(s)