18 matches found
CVE-2026-39337
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...
CVE-2026-42288
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...
CVE-2026-42288
ChurchCRM prior to version 7.1.0 is affected by a pre-auth RCE in the setup wizard due to unsanitized DB_PASSWORD handling, enabling unauthenticated PHP code injection during initial install. The issue stems from an incomplete fix for a previous CVE and is fixed in 7.1.0. Impact is described as f...
CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...
CVE-2026-42288
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...
EUVD-2026-29876
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...
PT-2026-40458
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2 Description A pre-authentication remote code execution issue exists in the setup wizard. The flaw allows for remote code execution via the unsanitized DB PASSWORD variable. Recommendations Update to version...
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...
CVE-2026-39337
ChurchCRM CVE-2026-39337 describes a pre-authentication remote code execution in the setup wizard (before/around initial installation) that allows unauthenticated code injection due to unsanitized $dbPassword. This is a remediation of an incomplete fix for CVE-2025-62521 and is fixed in version 7...
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...
PT-2026-30960
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a critical pre-authentication remote code execution issue in its setup wizard. Unauthenticated attackers can inject arbitrary PHP code during...
PT-2026-30676
Name of the Vulnerable Software and Affected Versions Aperi'Solve versions prior to 3.2.1 Description Aperi'Solve, an open-source steganalysis web platform, is susceptible to an unauthenticated remote code execution RCE vulnerability. When uploading a JPEG file, a user-provided password is direct...
CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...
CVE-2021-37861
Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails...
oa_system 跨站脚本漏洞
oasystem is a hailey individual developer's application for the day-to-day operation and management of organizations, used by employees and managers. A security vulnerability exists in oasystem versions prior to v2025.01.01, which stems from improperly cleaned input of the parameter password in t...
CVE-2023-50035
PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users login panel because of "password" parameter is directly used in the SQL query without any sanitization and the SQL Injection payload being executed...
ManageEngine ADSelfService Plus < build 6122 Command Injection
According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6122. It is, therefore, affected by a command injection vulnerability which allows a remote authenticated administrator to execute arbitrary operating OS commands a...
CVE-2022-28810
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...