VYPR

CRM

by Churchcrm

Source repositories

CVEs (43)

  • CVE-2026-42289HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when…

  • CVE-2026-44547CriMay 12, 2026
    risk 0.55cvss 9.6epss 0.00

    ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every…

  • CVE-2026-40582CriApr 18, 2026
    risk 0.52cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and…

  • CVE-2026-40484CriApr 18, 2026
    risk 0.52cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which…

  • CVE-2026-40581HigApr 18, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…

  • CVE-2026-38528HigApr 14, 2026
    risk 0.46cvss 7.1epss 0.00

    Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.

  • CVE-2026-40482HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

  • CVE-2026-40480HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()…

  • CVE-2025-70936MedApr 13, 2026
    risk 0.35cvss 5.4epss 0.00

    Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an…

  • CVE-2026-39941MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript…

  • CVE-2026-35572MedApr 7, 2026
    risk 0.32cvss 6.0epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the…

  • CVE-2026-40483MedApr 18, 2026
    risk 0.28cvss 5.4epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML…

  • CVE-2026-40485MedApr 18, 2026
    risk 0.27cvss 5.3epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…

  • CVE-2025-62521Dec 17, 2025
    risk 0.08cvss epss 0.04

    ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…

  • CVE-2025-68109Dec 17, 2025
    risk 0.05cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file…

  • CVE-2022-31325Jun 8, 2022
    risk 0.03cvss epss 0.05

    There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.

  • CVE-2023-25346Apr 25, 2023
    risk 0.01cvss epss 0.02

    A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

  • CVE-2026-32880Mar 20, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in…

  • CVE-2026-26059Feb 19, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.

  • CVE-2026-24855Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…

Page 1 of 3