2 matches found
CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...
CVE-2026-40582
ChurchCRM prior to version 7.2.0 had an authentication bypass in the /api/public/user/login endpoint. It returned the user’s API key after validating only username and password, bypassing account lockout and 2FA checks, enabling access to protected API endpoints with the user’s privileges if the ...