Lucene search
+L

60 matches found

CVE
CVE
added 2026/06/24 2:29 a.m.30 views

CVE-2026-3652

CVE-2026-3652: The ARForms WordPress plugin is vulnerable to an Unauthenticated Stored Cross-Site Scripting (XSS) via the value parameter of the arf_save_incomplete_form_data AJAX action. Affected are all versions up to 7.1.3. The root cause is insufficient input sanitization and output escaping,...

7.2CVSS6AI score0.0019EPSS
Exploits0References2
OSV
OSV
added 2026/06/10 10:5 p.m.4 views

CVE-2026-53463 ImageMagick: Null Pointer Dereference in distort operation when passing incorrect arguments

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when passing incorrect arguments in the distort operation a null pointer deference will occur. This issue has been patched in versions 6.9.13-50 and 7.1.2-25...

4.3CVSS5.9AI score0.00187EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.9 views

TOTOLINK A8000RU 操作系统命令注入漏洞

The TOTOLINK A8000RU is a wireless router from China's Gion Electronics TOTOLINK. The Totolink A8000RU version 7.1cu.643b20200521 suffers from an OS command injection vulnerability that originates from the parameter of the function setFirewallType in the Web Management Interface component file...

10CVSS7.3AI score0.01732EPSS
Exploits0References5
OSV
OSV
added 2026/04/13 9:43 p.m.2 views

CVE-2026-40312 ImageMagick: Off-by-One in MSL decoder could result in crash

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19...

6.2CVSS5.9AI score0.00177EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/08 7:34 p.m.5 views

CVE-2026-39344

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting XSS vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly...

8.1CVSS5.9AI score0.00256EPSS
Exploits0References1
CVE
CVE
added 2026/04/08 8:30 a.m.17 views

CVE-2026-39618

CVE-2026-39618 affects the WordPress NewsExo theme (themlerile) up to version 7.1. The issue is a Cross-Site Request Forgery (CSRF) vulnerability in NewsExo newsexo that could allow an attacker to induce a user to perform unwanted actions. The available connected sources confirm the vulnerability...

4.3CVSS5.9AI score0.00107EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 6:16 p.m.17 views

CVE-2026-39331

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

8.1CVSS0.00214EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:3 p.m.4 views

CVE-2026-39343

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The ENtyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute...

7.2CVSS6.2AI score0.00254EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:2 p.m.1 views

CVE-2026-39342

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports Query Menu and access to the "Advanced Search" query. This vulnerability is...

9.4CVSS5.9AI score0.00309EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 6:1 p.m.1 views

CVE-2026-39341 SQL injection in ChurchCRM.0

ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not...

8.1CVSS5.9AI score0.0028EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 6:1 p.m.9 views

EUVD-2026-19843

ChurchCRM is an open-source church management system. Prior to 7.1.0, The application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not...

8.1CVSS5.9AI score0.0028EPSS
Exploits1References1
CVE
CVE
added 2026/04/07 6:0 p.m.19 views

CVE-2026-39340

ChurchCRM prior to 7.1.0 contains a SQL injection in PropertyTypeEditor.php (administration for Person/Family Properties). Replacing legacyFilterInput() (strips HTML and escapes SQL) with sanitizeText() (strips HTML only) causes user-supplied Name/Description values to be concatenated into raw IN...

8.1CVSS5.9AI score0.00226EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 5:58 p.m.4 views

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References1
OSV
OSV
added 2026/04/07 5:58 p.m.2 views

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS6AI score0.01351EPSS
Exploits0References3
CVE
CVE
added 2026/04/07 5:58 p.m.8 views

CVE-2026-39339

CVE-2026-39339 describes a critical authentication bypass in ChurchCRM prior to version 7.1.0. An unauthenticated attacker can access all protected API endpoints by including meaningful strings like "api/public" anywhere in the request URL, exposing church member data and system information. The ...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:38 p.m.4 views

CVE-2026-39333

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input DateStart and DateEnd into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious U...

8.7CVSS6AI score0.00215EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/07 5:36 p.m.21 views

CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

8.1CVSS0.00214EPSS
Exploits0References1
CVE
CVE
added 2026/04/07 5:32 p.m.12 views

CVE-2026-39328

ChurchCRM before 7.1.0 has a stored XSS in the person profile editing feature. Non-admin users with EditSelf can inject JavaScript into Facebook, LinkedIn, and X profile fields; due to a 50-character limit, payloads span all three fields and chain onfocus handlers to execute when a profile is vie...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/04/07 5:30 p.m.5 views

CVE-2026-39326 ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description paramete...

8.8CVSS6.1AI score0.00244EPSS
Exploits0References3
CVE
CVE
added 2026/04/07 5:28 p.m.6 views

CVE-2026-39323

CVE-2026-39323 affects ChurchCRM prior to 7.1.0, where a SQL injection in PropertyTypeEditor.php arises because the Name and Description POST parameters are sanitized only with strip_tags() before direct SQL string concatenation. Authenticated users with the Manage Properties permission can execu...

6.2AI score0.0003EPSS
Exploits0
Rows per page
Query Builder