Unity Linux 20.1070a Security Update: pcs (UTSA-2026-007275)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007275 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's...

CVE-2026-35572

ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts SSRF by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain,...

EUVD-2026-19773

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting Stored XSS vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 6.5.3 contained security vulnerabilities. These vulnerabilities stemmed from the use of a specially crafted URL in the Referer request header, which could trigger server-side HTTP/HTTPS requests to...

PT-2026-30939

ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts SSRF by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain,...

ChurchCRM 代码问题漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 6.5.3 had code vulnerabilities. These vulnerabilities stemmed from path traversal vulnerabilities in the backup restoration function, which could allow authenticated administrators to upload arbitrary...

WordPress Essential Addons for Elementor plugin <= 6.5.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Plugin Essential Addons for Elementor versions = 6.5.3...

CVE-2025-69092 WordPress Essential Addons for Elementor plugin <= 6.5.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through = 6.5.3...

SUSE CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

CVE-2025-66395

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the src/ListEvents.php file. When filtering events by type, the WhichType POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This...

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a...

CVE-2025-68110

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...

CVE-2025-66397

ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and...

EUVD-2025-204001

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint /Reports/ConfirmReportEmail.php in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a...

EUVD-2025-203988

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the eGive.php file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the MissingEgiveFamID...

CVE-2025-68110 ChurchCRM discloses database information on error message

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...

CVE-2025-68110

ChurchCRM has an information-disclosure vulnerability: versions prior to 6.5.3 may reveal database credentials (host, IP, username, password) in an error message. The issue is fixed in version 6.5.3. No exploit details are provided in the connected documents; impact is information disclosure. Aff...

CVE-2025-67877 ChurchCRM SQL Injection Vulnerability

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using t...

CVE-2025-67877

ChurchCRM before version 6.5.3 has a SQL injection vulnerability in src/CartToFamily.php related to handling of the PersonAddress POST parameter. Unlike other parameters, PersonAddress is not explicitly cast to an integer, enabling injection of arbitrary SQL statements into the query. The issue i...

CVE-2025-66397

ChurchCRM’s CVE-2025-66397 describes an access-control flaw in the Kiosk Manager: prior to version 6.5.3, any authenticated user could perform actions such as allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk. Affected software is ChurchCRM, specifically the Kiosk Manager functions. ...