Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-d9j3-ctr4-m3c5
SummaryChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, confirmed via OAST. This vulnerability is fixed in 6.5.3.
Aliases
0
alias CVE-2026-35572
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-35572
reference_id
reference_type
scores
0
value 0.00064
scoring_system epss
scoring_elements 0.20261
published_at 2026-06-11T12:55:00Z
1
value 0.00064
scoring_system epss
scoring_elements 0.20437
published_at 2026-06-12T12:55:00Z
2
value 0.00064
scoring_system epss
scoring_elements 0.20458
published_at 2026-06-13T12:55:00Z
3
value 0.00067
scoring_system epss
scoring_elements 0.21145
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-35572
1
reference_url https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq
reference_id GHSA-44x3-28jv-mrwq
reference_type
scores
0
value 7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-07T19:49:55Z/
url https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq
Weaknesses
0
cwe_id 918
name Server-Side Request Forgery (SSRF)
description The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Exploits
Severity_range_score7.0 - 7.0
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-d9j3-ctr4-m3c5