VYPR

Churchcrm

by Churchcrm

Source repositories

CVEs (118)

  • CVE-2026-40485MedApr 18, 2026
    risk 0.27cvss 5.3epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…

  • CVE-2026-39940MedApr 13, 2026
    risk 0.27cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel'…

  • CVE-2025-62521Dec 17, 2025
    risk 0.08cvss epss 0.04

    ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…

  • CVE-2025-68109Dec 17, 2025
    risk 0.05cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file…

  • CVE-2023-31699May 17, 2023
    risk 0.03cvss epss 0.02

    ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.

  • CVE-2022-31325Jun 8, 2022
    risk 0.03cvss epss 0.05

    There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.

  • CVE-2023-31548May 31, 2023
    risk 0.02cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-25897Feb 21, 2024
    risk 0.01cvss epss 0.02

    ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

  • CVE-2023-26842May 31, 2023
    risk 0.01cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.

  • CVE-2023-26843Apr 25, 2023
    risk 0.01cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.

  • CVE-2023-25346Apr 25, 2023
    risk 0.01cvss epss 0.02

    A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

  • CVE-2026-26059Feb 19, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.

  • CVE-2026-24855Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…

  • CVE-2026-24854Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`…

  • CVE-2025-68275Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

  • CVE-2025-68401Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).…

  • CVE-2025-68400Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly…

  • CVE-2025-68399Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.…

  • CVE-2025-68112Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential…

  • CVE-2025-68111Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the…

Page 3 of 6