Lucene search
+L

7 matches found

Vulnrichment
Vulnrichment
added 2026/04/07 5:58 p.m.4 views

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

9.1CVSS5.9AI score0.01351EPSS
Exploits0References1
CVE
CVE
added 2026/04/07 5:32 p.m.12 views

CVE-2026-39328

ChurchCRM before 7.1.0 has a stored XSS in the person profile editing feature. Non-admin users with EditSelf can inject JavaScript into Facebook, LinkedIn, and X profile fields; due to a 50-character limit, payloads span all three fields and chain onfocus handlers to execute when a profile is vie...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.4 views

PT-2026-30887

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...

7.6CVSS6AI score0.00168EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.17 views

PT-2026-30967

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting XSS vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly...

8.1CVSS7.2AI score0.00256EPSS
Exploits0References2
NVD
NVD
added 2026/04/06 4:16 p.m.9 views

CVE-2026-34402

Rejected reason: REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to...

0.00021EPSS
Exploits0
Atlassian
Atlassian
added 2025/12/19 3:18 p.m.24 views

XXE (XML External Entity Injection) in Crowd Data Center and Server

This High severity XXE XML External Entity Injection vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high...

7.9CVSS5.5AI score0.00297EPSS
Exploits0
CNVD
CNVD
added 2018/08/01 12:0 a.m.5 views

McAfee Drive Encryption TPM autoboot authentication bypass vulnerability

McAfee Drive Encryption MDE is a suite of full disk encryption software from the American company McAfee. The software is mainly used to protect data on tablets, laptops and desktop computers with Microsoft Windows to prevent the loss of sensitive data.TPM autoboot is one of the TPM autoboot...

7CVSS6.3AI score0.00242EPSS
Exploits0References1
Rows per page
Query Builder