CVE-2026-58410 ChurchCRM: Improper object-level authorization allows low-privileged users to read and modify other families’ records
ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...