CVE-2026-24854

ChurchCRM prior to 6.7.2 is vulnerable to an authenticated SQL injection in PaddleNumEditor.php where the PerID parameter is concatenated into queries. The PoC and Red Hat/NVD entries confirm an injection that can affect multiple records and logic, with the fix incorporating explicit (int) castin...

CVE-2025-1135

A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL...

CVE-2025-1134

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL...

EUVD-2023-28694

Malicious code in bioql PyPI...

EUVD-2025-4717

Malicious code in bioql PyPI...

CVE-2023-24684

ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php...

ChurchCRM 5.9.1 - SQL Injection

Exploit Title: ChurchCRM 5.9.1 - SQL Injection Author: Sanan Qasimzada Date: 06.07.2024 Vendor: http://churchcrm.io/ Software: https://github.com/ChurchRM/CRM Reference: https://portswigger.net/web-security/sql-injection Description: In the manual insertion point 1 - parameter EID appears to be...

CVE-2025-1023

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper...

CVE-2025-1133

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper...

CVE-2025-1135

A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL...

CVE-2025-1134

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL...

CVE-2025-1135

CVE-2025-1135 (ChurchCRM) affects ChurchCRM 5.13.0 and earlier. The flaw is a boolean-based and time-based blind SQL injection in the BatchWinnerEntry feature where the CurrentFundraiser parameter is directly concatenated into an SQL query, enabling an attacker with administrator privileges to ma...

CVE-2025-1134

CVE-2025-1134 affects ChurchCRM 5.13.0 and earlier. The vulnerability is a boolean-based and time-based blind SQL Injection in the DonatedItemEditor/DonateItemEditor functionality, where the CurrentFundraiser parameter is directly concatenated into an SQL query without proper sanitization, enabli...

CVE-2025-1132

CVE-2025-1132 affects ChurchCRM 5.13.0 and earlier (EditEventAttendees.php, EN_tyid parameter). The issue arises from directly inserting the EN_tyid input into an SQL query without proper sanitization, leading to a time-based blind SQL injection. The vulnerability is described as allowing attacke...

CVE-2025-1132 SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the ENtyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the...

CVE-2025-1023

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper...

CVE-2025-1023

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper...

CVE-2024-25897

ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection Time-based via the CurrentFundraiser GET parameter...

PT-2023-26601 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM version 5.0.0 Description: A SQL injection issue allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the "/QueryView.php" API endpoint. Recommendations: For ChurchCRM version 5.0.0,...