CRM
by Churchcrm
Source repositories
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42289 | Hig | 0.57 | 8.8 | 0.00 | May 12, 2026 | ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when… | ||
| CVE-2026-44547 | Cri | 0.55 | 9.6 | 0.00 | May 12, 2026 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every… | ||
| CVE-2026-40582 | Cri | 0.52 | — | 0.01 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and… | ||
| CVE-2026-40484 | Cri | 0.52 | 9.1 | 0.01 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which… | ||
| CVE-2026-40581 | Hig | 0.46 | 8.1 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An… | ||
| CVE-2026-38528 | Hig | 0.46 | 7.1 | 0.00 | Apr 14, 2026 | Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php. | ||
| CVE-2026-40482 | Hig | 0.39 | — | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0. | ||
| CVE-2026-40480 | Hig | 0.39 | — | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()… | ||
| CVE-2025-70936 | Med | 0.35 | 5.4 | 0.00 | Apr 13, 2026 | Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an… | ||
| CVE-2026-39941 | Med | 0.33 | 6.1 | 0.00 | Apr 9, 2026 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript… | ||
| CVE-2026-35572 | Med | 0.32 | 6.0 | 0.00 | Apr 7, 2026 | ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the… | ||
| CVE-2026-40483 | Med | 0.28 | 5.4 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML… | ||
| CVE-2026-40485 | Med | 0.27 | 5.3 | 0.00 | Apr 18, 2026 | ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with… | ||
| CVE-2025-62521 | 0.08 | — | 0.04 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to… | |||
| CVE-2025-68109 | 0.05 | — | 0.01 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file… | |||
| CVE-2022-31325 | 0.03 | — | 0.05 | Jun 8, 2022 | There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. | |||
| CVE-2023-25346 | 0.01 | — | 0.02 | Apr 25, 2023 | A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. | |||
| CVE-2026-32880 | 0.00 | — | 0.00 | Mar 20, 2026 | ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in… | |||
| CVE-2026-26059 | 0.00 | — | 0.00 | Feb 19, 2026 | ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue. | |||
| CVE-2026-24855 | 0.00 | — | 0.00 | Jan 30, 2026 | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in… |
- risk 0.57cvss 8.8epss 0.00
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when…
- risk 0.55cvss 9.6epss 0.00
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every…
- risk 0.52cvss —epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and…
- risk 0.52cvss 9.1epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which…
- risk 0.46cvss 8.1epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…
- risk 0.46cvss 7.1epss 0.00
Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.
- risk 0.39cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
- risk 0.39cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()…
- risk 0.35cvss 5.4epss 0.00
Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an…
- risk 0.33cvss 6.1epss 0.00
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript…
- risk 0.32cvss 6.0epss 0.00
ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the…
- risk 0.28cvss 5.4epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML…
- risk 0.27cvss 5.3epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…
- CVE-2025-62521Dec 17, 2025risk 0.08cvss —epss 0.04
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…
- CVE-2025-68109Dec 17, 2025risk 0.05cvss —epss 0.01
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file…
- CVE-2022-31325Jun 8, 2022risk 0.03cvss —epss 0.05
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
- CVE-2023-25346Apr 25, 2023risk 0.01cvss —epss 0.02
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
- CVE-2026-32880Mar 20, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in…
- CVE-2026-26059Feb 19, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
- CVE-2026-24855Jan 30, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…
Page 1 of 3