📄 ChurchCRM SQL Injection

ChurchCRM versions prior to 6.5.3 suffer from a remote SQL injection vulnerability in ConfirmReportEmail.php. CVE-2025-68400: ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php Overview | Field | Details | |---|---| | CVE ID | CVE-2025-68400 | | Severity | CRITICAL |...

CVE-2026-39331

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a...

EUVD-2025-204001

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a...

CVE-2025-68400 ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a...

CVE-2025-68400

ChurchCRM prior to v6.5.3 is affected by a SQL Injection in the legacy endpoint /Reports/ConfirmReportEmail.php. The issue arises from an unvalidated familyId parameter in a historically removed UI feature that remains reachable directly (dead but reachable code). Any authenticated user, even wit...

ChurchCRM SQL注入漏洞

ChurchCRM is an open source church management system. ChurchCRM suffers from a SQL injection vulnerability that originates from the unvalidated familyId parameter in legacy endpoints/Reports/ConfirmReportEmail.php, and no details of the vulnerability are provided at this time...

EUVD-2005-2474

Malware in sbrugna...

CVE-2024-25892

ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection Time-based via the familyId GET parameter...

ChurchCRM Security Breach

ChurchCRM is an open source CRM system for churches. A security vulnerability exists in ChurchCRM version 5.5.0, which stems from a SQL blind time-based vulnerability in the familyId GET parameter of the ConfirmReport.php page...