VYPR

Vendor CVEs

Churchcrm

All CVEs

123 total · sorted by risk
  • CVE-2026-42288CriMay 12, 2026
    risk 0.65cvss 10.0epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is…

  • CVE-2026-39337CriApr 7, 2026
    risk 0.58cvss 10.0epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…

  • CVE-2026-42289HigMay 12, 2026
    risk 0.57cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when…

  • CVE-2026-44547CriMay 12, 2026
    risk 0.55cvss 9.6epss 0.00

    ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every…

  • CVE-2026-44548HigMay 12, 2026
    risk 0.53cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently…

  • CVE-2026-39339CriApr 7, 2026
    risk 0.53cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including…

  • CVE-2026-40582CriApr 18, 2026
    risk 0.52cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and…

  • CVE-2026-40484CriApr 18, 2026
    risk 0.52cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which…

  • CVE-2026-35573CriApr 7, 2026
    risk 0.52cvss 9.1epss 0.01

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess…

  • CVE-2026-39328HigApr 7, 2026
    risk 0.51cvss 8.9epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their…

  • CVE-2026-39342HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query.…

  • CVE-2026-39334HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type…

  • CVE-2026-39333HigApr 7, 2026
    risk 0.50cvss 8.7epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can…

  • CVE-2026-39332HigApr 7, 2026
    risk 0.50cvss 8.7epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires…

  • CVE-2026-39330HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can…

  • CVE-2026-39329HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The…

  • CVE-2026-39327HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements…

  • CVE-2026-39326HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and…

  • CVE-2026-39319HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL…

  • CVE-2026-39318HigApr 7, 2026
    risk 0.50cvss 8.8epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For…

  • CVE-2026-35576HigApr 7, 2026
    risk 0.50cvss 8.7epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated…

  • CVE-2026-40581HigApr 18, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An…

  • CVE-2026-38528HigApr 14, 2026
    risk 0.46cvss 7.1epss 0.00

    Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.

  • CVE-2026-39344HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter…

  • CVE-2026-39341HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the…

  • CVE-2026-39340HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The…

  • CVE-2026-39331HigApr 7, 2026
    risk 0.46cvss 8.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords…

  • CVE-2026-35575HigApr 7, 2026
    risk 0.45cvss 8.0epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically…

  • CVE-2026-35534HigApr 7, 2026
    risk 0.42cvss 7.6epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not…

  • CVE-2026-39343HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an…

  • CVE-2026-39325HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the…

  • CVE-2026-35574HigApr 7, 2026
    risk 0.40cvss 7.3epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users'…

  • CVE-2025-11529HigOct 9, 2025
    risk 0.40cvss 7.3epss 0.01

    A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed…

  • CVE-2026-40482HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.

  • CVE-2026-40480HigApr 18, 2026
    risk 0.39cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson()…

  • CVE-2025-11938MedOct 19, 2025
    risk 0.36cvss 5.6epss 0.01

    A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing a manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's…

  • CVE-2025-70936MedApr 13, 2026
    risk 0.35cvss 5.4epss 0.00

    Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an…

  • CVE-2026-39941MedApr 9, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript…

  • CVE-2026-39338MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it…

  • CVE-2026-39336MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is…

  • CVE-2026-39335MedApr 7, 2026
    risk 0.33cvss 6.1epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1.

  • CVE-2026-35572MedApr 7, 2026
    risk 0.32cvss 6.0epss 0.00

    ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the…

  • CVE-2025-11939MedOct 19, 2025
    risk 0.31cvss 4.7epss 0.01

    A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing a manipulation of the argument restoreFile can lead to path traversal. The…

  • CVE-2026-40483MedApr 18, 2026
    risk 0.28cvss 5.4epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML…

  • CVE-2026-40485MedApr 18, 2026
    risk 0.27cvss 5.3epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with…

  • CVE-2026-39940MedApr 13, 2026
    risk 0.27cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel'…

  • CVE-2025-62521Dec 17, 2025
    risk 0.08cvss epss 0.04

    ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to…

  • CVE-2025-68109Dec 17, 2025
    risk 0.05cvss epss 0.01

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file…

  • CVE-2023-31699May 17, 2023
    risk 0.03cvss epss 0.02

    ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.

  • CVE-2022-31325Jun 8, 2022
    risk 0.03cvss epss 0.05

    There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.

Page 1 of 3