VYPR

Vendor CVEs

Churchcrm

All CVEs

123 total · sorted by risk
  • CVE-2023-31548May 31, 2023
    risk 0.02cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2024-25897Feb 21, 2024
    risk 0.01cvss epss 0.02

    ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

  • CVE-2023-26842May 31, 2023
    risk 0.01cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.

  • CVE-2023-26843Apr 25, 2023
    risk 0.01cvss epss 0.01

    A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.

  • CVE-2023-25346Apr 25, 2023
    risk 0.01cvss epss 0.02

    A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.

  • CVE-2026-32880Mar 20, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in…

  • CVE-2026-26059Feb 19, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.

  • CVE-2026-24855Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…

  • CVE-2026-24854Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`…

  • CVE-2025-68275Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

  • CVE-2025-68401Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).…

  • CVE-2025-68400Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly…

  • CVE-2025-68399Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.…

  • CVE-2025-68112Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential…

  • CVE-2025-68111Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the…

  • CVE-2025-68110Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

  • CVE-2025-67877Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly…

  • CVE-2025-67876Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.…

  • CVE-2025-67875Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent…

  • CVE-2025-66397Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk…

  • CVE-2025-66396Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly…

  • CVE-2025-66395Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in…

  • CVE-2025-67751Dec 16, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated…

  • CVE-2025-67874Dec 16, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify…

  • CVE-2025-66313Dec 1, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL…

  • CVE-2025-3954Apr 26, 2025
    risk 0.00cvss epss 0.00

    A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The…

  • CVE-2025-1135Feb 19, 2025
    risk 0.00cvss epss 0.01

    A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly…

  • CVE-2025-1134Feb 19, 2025
    risk 0.00cvss epss 0.01

    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly…

  • CVE-2025-1133Feb 19, 2025
    risk 0.00cvss epss 0.01

    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query…

  • CVE-2025-1132Feb 19, 2025
    risk 0.00cvss epss 0.01

    A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands.…

  • CVE-2025-1024Feb 19, 2025
    risk 0.00cvss epss 0.00

    A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw…

  • CVE-2025-1023Feb 18, 2025
    risk 0.00cvss epss 0.02

    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL…

  • CVE-2025-0981Feb 18, 2025
    risk 0.00cvss epss 0.00

    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field,…

  • CVE-2024-53438Nov 22, 2024
    risk 0.00cvss epss 0.01

    EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating the 'Event' parameter, which is directly interpolated into the SQL query without proper sanitization or validation, allowing attackers to execute…

  • CVE-2024-39304Jul 26, 2024
    risk 0.00cvss epss 0.03

    ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows…

  • CVE-2024-25896Feb 21, 2024
    risk 0.00cvss epss 0.00

    ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter.

  • CVE-2024-25892Feb 21, 2024
    risk 0.00cvss epss 0.01

    ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter.

  • CVE-2024-25895Feb 21, 2024
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php

  • CVE-2024-25898Feb 21, 2024
    risk 0.00cvss epss 0.00

    A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php.

  • CVE-2024-25893Feb 21, 2024
    risk 0.00cvss epss 0.00

    ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

  • CVE-2024-25891Feb 21, 2024
    risk 0.00cvss epss 0.01

    ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

  • CVE-2024-25894Feb 21, 2024
    risk 0.00cvss epss 0.01

    ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter.

  • CVE-2020-28848Aug 11, 2023
    risk 0.00cvss epss 0.01

    CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.

  • CVE-2020-28849Aug 11, 2023
    risk 0.00cvss epss 0.00

    Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.

  • CVE-2023-38769Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php.

  • CVE-2023-38768Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID parameter within the /QueryView.php.

  • CVE-2023-38762Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths parameter within the /QueryView.php.

  • CVE-2023-38770Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter within the /QueryView.php.

  • CVE-2023-38764Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and percls parameters within the /QueryView.php.

  • CVE-2023-38765Aug 8, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php.