A vulnerability has been found in ChurchCRM up to 7.3.x and classified as problematic. Affected is an unknown function of the file /plugins/install-url of the component Allowed Extension. This manipulation of the argument hash causes incomplete blacklist.
This vulnerability is tracked as CVE-2026-58409. The attack is possible to be carried out remotely. No exploit exists.