VYPR
Vendor

Churchcrm

Products
2
CVEs
123
Across products
161
Status
Private

Products

2

Recent CVEs

123
View all 123 CVEs →
  • CVE-2026-42288CriMay 12, 2026
    risk 0.65cvss 10.0epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is…

  • CVE-2026-39337CriApr 7, 2026
    risk 0.58cvss 10.0epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…

  • CVE-2026-42289HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when…

  • CVE-2026-44547CriMay 12, 2026
    risk 0.55cvss 9.6epss 0.00

    ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every…

  • CVE-2026-44548HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently…

  • CVE-2026-39339CriApr 7, 2026
    risk 0.53cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including…

  • CVE-2026-40582CriApr 18, 2026
    risk 0.52cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and…

  • CVE-2026-40484CriApr 18, 2026
    risk 0.52cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which…

  • CVE-2026-35573CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess…

  • CVE-2026-39328HigApr 7, 2026
    risk 0.51cvss 8.9epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their…

  • CVE-2026-39342HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query.…

  • CVE-2026-39334HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type…

  • CVE-2026-39333HigApr 7, 2026
    risk 0.50cvss 8.7epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can…

  • CVE-2026-39332HigApr 7, 2026
    risk 0.50cvss 8.7epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires…

  • CVE-2026-39330HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can…

  • CVE-2026-39329HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The…

  • CVE-2026-39327HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements…

  • CVE-2026-39326HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and…

  • CVE-2026-39319HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL…

  • CVE-2026-39318HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For…