2 matches found
CVE-2026-40480
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...
Auto-merging Person Records Compromised
Impact New user registrations are able to access anyone's account by only knowing their basic profile information name, birthday, gender, etc. This includes all app functionality within the app, as well as any authenticated links to Rock-based webpages such as giving and events. Patches We have...