CVE-2026-40485

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint /api/public/user/login returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An...

CVE-2026-40593 ChurchCRM: Stored XSS in UserEditor.php via Login Name Field

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor UserEditor.php renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars. An administrator can save a username containing HTML attribute-breaking characte...

CVE-2026-40582

ChurchCRM prior to version 7.2.0 had an authentication bypass in the /api/public/user/login endpoint. It returned the user’s API key after validating only username and password, bypassing account lockout and 2FA checks, enabling access to protected API endpoints with the user’s privileges if the ...

CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

PT-2026-33532

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory, which performs no file...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

Intumit SmartRobot Conversational AI Platform 安全漏洞

Intumit SmartRobot Conversational AI Platform is a conversational AI platform from Intumit. A security vulnerability previously existed in Intumit SmartRobot Conversational AI Platform version v7.2.0, which stemmed from an improper code generation control issue in Groovy script functions. An...

WordPress plugin FloristPress 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2023-37879

Insecure storage of sensitive information in Wing FTP Server User Web Client allows information elicitation.This issue affects Wing FTP Server: = 7.2.0...

CVE-2023-40554

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Blog2Social, Adenion Blog2Social: Social Media Auto Post & Scheduler plugin = 7.2.0 versions...

Vtiger CRM 跨站脚本漏洞

Vtiger CRM is a set of customer relationship management system CRM based on SugarCRM developed by American Vtiger. The management system provides management, collection and analysis of customer information and other functions. Vtiger CRM v7.2.0 suffers from a cross-site scripting vulnerability th...

File Replication Pro Remote Command Execution Vulnerability

File Replication Pro is a file management solution for backing up, copying files from different network nodes. A remote command execution vulnerability exists in File Replication Pro 7.2.0 and earlier versions. An attacker can exploit the vulnerability to remotely execute arbitrary commands as th...