Lucene search
K

70 matches found

RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.5 views

CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

7.1CVSS5.7AI score0.00336EPSS
Exploits0References1
CVE
CVE
added 2026/04/17 11:7 p.m.7 views

CVE-2026-40480

ChurchCRM suffers a Missing Object-Level Authorization (IDOR) in GET /api/person/{personId} prior to version 7.2.0, where the API path omits canEditPerson checks and enables any authenticated user with EditSelf privileges to enumerate and read other members’ records containing PII (names, address...

7.1CVSS5.7AI score0.00336EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/04/09 7:23 p.m.3 views

CVE-2026-35578

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

5.9AI score0.00043EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 6:16 p.m.16 views

CVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting XSS vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocu...

8.7CVSS0.00203EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 6:16 p.m.2 views

CVE-2026-35576

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting XSS vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrar...

8.7CVSS0.00261EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:5 p.m.2 views

CVE-2026-39319

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through th...

8.8CVSS6AI score0.00244EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:2 p.m.1 views

CVE-2026-39342

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports Query Menu and access to the "Advanced Search" query. This vulnerability is...

9.4CVSS5.9AI score0.00309EPSS
Exploits1References2Affected Software1
EUVD
EUVD
added 2026/04/07 6:2 p.m.4 views

EUVD-2026-19845

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports Query Menu and access to the "Advanced Search" query. This vulnerability is...

9.4CVSS5.9AI score0.00309EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 5:58 p.m.196 views

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS0.01351EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 3:48 p.m.3 views

CVE-2026-35566

REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39319. Reason: This candidate is a duplicate of CVE-2026-39319. Notes: All CVE users should reference CVE-2026-39319 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental...

8.8CVSS5.8AI score0.00244EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.4 views

PT-2026-30948

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1...

6.1CVSS5.9AI score0.00252EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/01/09 12:41 p.m.7 views

CVE-2023-25347

A stored cross-site scripting XSS vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php...

5.4CVSS5.4AI score0.00622EPSS
Exploits1References1
CNVD
CNVD
added 2025/12/25 12:0 a.m.2 views

ChurchCRM UserEditor.php File SQL Injection Vulnerability

ChurchCRM is an open source church management system. ChurchCRM suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered SQL statements in the type parameter of the src/UserEditor.php file. No details of the vulnerability are provided at this time...

7.2CVSS5.9AI score0.00346EPSS
Exploits1References1
EUVD
EUVD
added 2025/12/17 9:38 p.m.6 views

EUVD-2025-203987

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

9.6CVSS7.5AI score0.00371EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/12/16 12:0 a.m.5 views

ChurchCRM 安全漏洞

ChurchCRM is an open source CRM system built for churches by ChurchCRM Open Source. A security vulnerability exists in ChurchCRM versions prior to 6.5.0 that stems from a plaintext password fallback issue that could lead to credential disclosure...

6.9CVSS6.7AI score0.00305EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2025/12/11 5:3 a.m.7 views

CVE-2025-66313

ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper...

7.2CVSS7.9AI score0.0035EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2025/10/19 8:2 a.m.3 views

CVE-2025-11939

A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing a manipulation of the argument restoreFile can lead to path traversal. The attack may be launched...

7.2CVSS5.2AI score0.00949EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2020-21240

Malware in sbrugna...

8.8CVSS8.6AI score0.00948EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2023-28696

Malicious code in bioql PyPI...

4.8CVSS5.4AI score0.00658EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2023-28700

Malicious code in bioql PyPI...

5.4CVSS5.8AI score0.00491EPSS
Exploits1References3
Rows per page
Query Builder