{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35578", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T15:53:05.516Z", "dateUpdated": "2026-04-13T16:35:54.049Z", "dateRejected": "2026-04-13T16:35:54.049Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "replacedBy": ["CVE-2026-39940"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T16:35:54.049Z"}}}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35578", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "REJECTED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T15:53:05.516Z", "dateUpdated": "2026-04-13T16:35:54.049Z", "dateRejected": "2026-04-13T16:35:54.049Z"}, "containers": {"cna": {"rejectedReasons": [{"lang": "en", "value": "This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "replacedBy": ["CVE-2026-39940"], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T16:35:54.049Z"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: This CVE is a duplicate of another CVE.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39940. Reason: This candidate is a reservation duplicate of CVE-2026-39940. Notes: All CVE users should reference CVE-2026-39940 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage."}], "id": "CVE-2026-35578", "lastModified": "2026-04-13T17:16:28.780", "metrics": {}, "published": "2026-04-07T17:16:33.133", "references": [], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Rejected"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.0)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "CRM", "source": "cna", "vendor": "ChurchCRM"}, "product": "churchcrm", "vendor": "churchcrm"}], "analysis": {"en": {"generated_at": "2026-04-07T23:22:45.661666+00:00", "value": {"mitigation_remediation": ["Upgrade ChurchCRM to version 7.0.0 or later, which fixes the open\u2011redirect flaw.", "Remove or neutralise the unused linkBack parameter in application workflows.", "Verify that no other pages expose the same parameter pattern before deployment.", "Implement monitoring to detect unexpected redirects originating from trusted users."], "summary": {"action": "Patch Upgrade", "impact": "Open Redirect via linkBack URL parameter"}, "threat_synthesis": {"affected_systems": "ChurchCRM, the open\u2011source church management system, is affected in all releases before version 7.0.0. The issue exists wherever the linkBack parameter is used, including the DonatedItemEditor component and similar pages.", "description_and_impact": "The flaw allows an authenticated user to be redirected to an arbitrary URL when clicking a cancel button on pages such as DonatedItemEditor.php. By manipulating the unsanitised linkBack parameter, an attacker can craft links that, when followed by a logged\u2011in user, send them to malicious or phishing destinations. While the vulnerability does not provide direct code execution or data theft, it increases the risk of credential theft or other social\u2011engineering attacks targeting church staff and members.", "risk_and_exploitability": "The scoring indicates moderate severity. Exploitation requires an authenticated user session; the attacker merely supplies a malicious URL through the linkBack parameter, which is then executed when the user interacts with the cancel action. The attack is straightforward and could be leveraged in phishing campaigns against church staff or congregants."}}}}, "created": "2026-04-08T19:48:10.060383+00:00", "updated": "2026-04-09T08:24:09.894733+00:00", "vendors": ["churchcrm", "churchcrm$PRODUCT$churchcrm"]}