CVE-2026-39941 ChurchCRM has an XSS vulnerability

ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims...

CVE-2025-1133

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper...

CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

EUVD-2025-4727

Malicious code in bioql PyPI...

EUVD-2025-4725

Malicious code in bioql PyPI...

EUVD-2025-4713

Malicious code in bioql PyPI...

ChurchCRM EditEventAttendees Feature Blind SQL Injection Vulnerability

ChurchCRM is an open source church management system. ChurchCRM suffers from a blind SQL injection vulnerability that stems from an EID parameter being directly connected to a SQL query without proper cleanup, which can be exploited by an attacker to execute arbitrary SQL queries using a...

CVE-2025-1132

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the ENtyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the...

CVE-2025-1133

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper...

CVE-2025-1133

CVE-2025-1133 affects ChurchCRM 5.13.0 and earlier. A boolean-based blind SQL injection in EditEventAttendees.php stems from the EID parameter being directly concatenated into SQL queries, enabling an attacker with Administrator privileges to manipulate queries and potentially exfiltrate, modify,...

CVE-2025-1133 SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper...

CVE-2025-1132 SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the ENtyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the...

CVE-2025-1132 SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the ENtyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the...

CVE-2025-1024

ChurchCRM 5.13.0 is affected by a Reflected Cross‑Site Scripting (XSS) in EditEventAttendees.php (EID parameter) that requires administrative privileges. The vulnerability enables an attacker to execute arbitrary JavaScript in a victim’s browser, potentially stealing session cookies, acting on be...

ChurchCRM 安全漏洞

ChurchCRM is an open source CRM system built for churches by ChurchCRM Open Source. A security vulnerability exists in ChurchCRM 5.13.0 and earlier versions, which stems from the EID parameter being directly connected to a SQL query without proper cleanup, which is susceptible to SQL injection...

PT-2025-7485 · Churchcrm · Churchcrm

Name of the Vulnerable Software and Affected Versions: ChurchCRM version 5.13.0 Description: A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting XSS in the EditEventAttendees.php page. This requires...