CVE-2025-66397

ChurchCRM’s CVE-2025-66397 describes an access-control flaw in the Kiosk Manager: prior to version 6.5.3, any authenticated user could perform actions such as allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk. Affected software is ChurchCRM, specifically the Kiosk Manager functions. ...

EUVD-2025-203921

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the src/UserEditor.php file. When an administrator saves a user's configuration settings, the keys of the type POST parameter array are not properly sanitized or type-casted befor...

CVE-2025-66395

CVE-2025-66395 affects ChurchCRM prior to 6.5.3. The vulnerability is a SQL injection in src/ListEvents.php when filtering events by type using the WhichType POST parameter, which is not properly sanitized or type-casted before multiple SQL queries. Any authenticated user, regardless of privilege...

PT-2025-51926

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM, an open-source church management system, contains a SQL injection issue. The vulnerability resides in the src/CartToFamily.php file, specifically in the handling of the PersonAddress POS...