Churchcrm
by Churchcrm
Source repositories
CVEs (118)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40485 | Med | 0.27 | 5.3 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with… | ||
| CVE-2026-39940 | Med | 0.27 | — | 0.00 | Apr 13, 2026 | ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel'… | ||
| CVE-2025-62521 | 0.08 | — | 0.04 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to… | |||
| CVE-2025-68109 | 0.05 | — | 0.01 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file… | |||
| CVE-2023-31699 | 0.03 | — | 0.02 | May 17, 2023 | ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file. | |||
| CVE-2022-31325 | 0.03 | — | 0.05 | Jun 8, 2022 | There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. | |||
| CVE-2023-31548 | 0.02 | — | 0.01 | May 31, 2023 | A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-25897 | 0.01 | — | 0.02 | Feb 21, 2024 | ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. | |||
| CVE-2023-26842 | 0.01 | — | 0.01 | May 31, 2023 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. | |||
| CVE-2023-26843 | 0.01 | — | 0.01 | Apr 25, 2023 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. | |||
| CVE-2023-25346 | 0.01 | — | 0.02 | Apr 25, 2023 | A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. | |||
| CVE-2026-26059 | 0.00 | — | 0.00 | Feb 19, 2026 | ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue. | |||
| CVE-2026-24855 | 0.00 | — | 0.00 | Jan 30, 2026 | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in… | |||
| CVE-2026-24854 | 0.00 | — | 0.00 | Jan 30, 2026 | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`… | |||
| CVE-2025-68275 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue. | |||
| CVE-2025-68401 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).… | |||
| CVE-2025-68400 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly… | |||
| CVE-2025-68399 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.… | |||
| CVE-2025-68112 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential… | |||
| CVE-2025-68111 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the… |
- risk 0.27cvss 5.3epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…
- risk 0.27cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel'…
- CVE-2025-62521Dec 17, 2025risk 0.08cvss —epss 0.04
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…
- CVE-2025-68109Dec 17, 2025risk 0.05cvss —epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file…
- CVE-2023-31699May 17, 2023risk 0.03cvss —epss 0.02
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.
- CVE-2022-31325Jun 8, 2022risk 0.03cvss —epss 0.05
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
- CVE-2023-31548May 31, 2023risk 0.02cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-25897Feb 21, 2024risk 0.01cvss —epss 0.02
ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
- CVE-2023-26842May 31, 2023risk 0.01cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.
- CVE-2023-26843Apr 25, 2023risk 0.01cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
- CVE-2023-25346Apr 25, 2023risk 0.01cvss —epss 0.02
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
- CVE-2026-26059Feb 19, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
- CVE-2026-24855Jan 30, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…
- CVE-2026-24854Jan 30, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`…
- CVE-2025-68275Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
- CVE-2025-68401Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).…
- CVE-2025-68400Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly…
- CVE-2025-68399Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.…
- CVE-2025-68112Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential…
- CVE-2025-68111Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the…
Page 3 of 6