VYPR

Churchcrm

by Churchcrm

Source repositories

CVEs (118)

  • CVE-2026-39344HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter…

  • CVE-2026-39341HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the…

  • CVE-2026-39340HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The…

  • CVE-2026-39331HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords…

  • CVE-2026-35575HigApr 7, 2026
    risk 0.45cvss 8.0epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically…

  • CVE-2026-35534HigApr 7, 2026
    risk 0.42cvss 7.6epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not…

  • CVE-2026-39343HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an…

  • CVE-2026-39325HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the…

  • CVE-2026-35574HigApr 7, 2026
    risk 0.40cvss 7.3epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users'…

  • CVE-2025-11529HigOct 9, 2025
    risk 0.40cvss 7.3epss 0.01

    A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed…

  • CVE-2026-40482HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

  • CVE-2026-40480HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()…

  • CVE-2025-11938MedOct 19, 2025
    risk 0.36cvss 5.6epss 0.01

    A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's…

  • CVE-2026-39941MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript…

  • CVE-2026-39338MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it…

  • CVE-2026-39336MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is…

  • CVE-2026-39335MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1.

  • CVE-2026-35572MedApr 7, 2026
    risk 0.32cvss 6.0epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the…

  • CVE-2025-11939MedOct 19, 2025
    risk 0.31cvss 4.7epss 0.01

    A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing a manipulation of the argument restoreFile can lead to path traversal. The…

  • CVE-2026-40483MedApr 18, 2026
    risk 0.28cvss 5.4epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML…

Page 2 of 6