CVE-2026-40480
ChurchCRM suffers a Missing Object-Level Authorization (IDOR) in GET /api/person/{personId} prior to version 7.2.0, where the API path omits canEditPerson checks and enables any authenticated user with EditSelf privileges to enumerate and read other members’ records containing PII (names, address...