Lucene search
K

18 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.9 views

CVE-2026-39337

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS6.4AI score0.00715EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 11:16 p.m.39 views

CVE-2026-42288

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

10CVSS0.00576EPSS
Exploits0References1
CVE
CVE
added 2026/05/12 10:25 p.m.38 views

CVE-2026-42288

ChurchCRM prior to version 7.1.0 is affected by a pre-auth RCE in the setup wizard due to unsanitized DB_PASSWORD handling, enabling unauthenticated PHP code injection during initial install. The issue stems from an incomplete fix for a previous CVE and is fixed in 7.1.0. Impact is described as f...

10CVSS6.4AI score0.00576EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 10:25 p.m.69 views

CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

10CVSS0.00576EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 10:25 p.m.8 views

CVE-2026-42288

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

10CVSS6.4AI score0.00715EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/12 10:25 p.m.10 views

EUVD-2026-29876

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

10CVSS6.4AI score0.00715EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.21 views

PT-2026-40458

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.3.2 Description A pre-authentication remote code execution issue exists in the setup wizard. The flaw allows for remote code execution via the unsanitized DB PASSWORD variable. Recommendations Update to version...

10CVSS6.4AI score0.00576EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/07 6:8 p.m.3 views

CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS6.6AI score0.00715EPSS
Exploits0References1
CVE
CVE
added 2026/04/07 6:8 p.m.20 views

CVE-2026-39337

ChurchCRM CVE-2026-39337 describes a pre-authentication remote code execution in the setup wizard (before/around initial installation) that allows unauthenticated code injection due to unsanitized $dbPassword. This is a remediation of an incomplete fix for CVE-2025-62521 and is fixed in version 7...

10CVSS6.6AI score0.00715EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/04/07 6:8 p.m.19 views

CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS0.00715EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.10 views

PT-2026-30960

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a critical pre-authentication remote code execution issue in its setup wizard. Unauthenticated attackers can inject arbitrary PHP code during...

10CVSS6.6AI score0.00715EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/04/06 12:0 a.m.14 views

PT-2026-30676

Name of the Vulnerable Software and Affected Versions Aperi'Solve versions prior to 3.2.1 Description Aperi'Solve, an open-source steganalysis web platform, is susceptible to an unauthenticated remote code execution RCE vulnerability. When uploading a JPEG file, a user-provided password is direct...

9.8CVSS6.5AI score0.00775EPSS
Exploits1References12
RedhatCVE
RedhatCVE
added 2025/05/23 1:5 a.m.13 views

CVE-2022-28810

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...

7.1CVSS7.5AI score0.70501EPSS
Exploits4References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:7 p.m.8 views

CVE-2021-37861

Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails...

7.5CVSS7AI score0.00879EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/05/14 12:0 a.m.8 views

oa_system 跨站脚本漏洞

oasystem is a hailey individual developer's application for the day-to-day operation and management of organizations, used by employees and managers. A security vulnerability exists in oasystem versions prior to v2025.01.01, which stems from improperly cleaned input of the parameter password in t...

6.1CVSS6.1AI score0.00228EPSS
Exploits1References3
OSV
OSV
added 2023/12/29 9:15 p.m.6 views

CVE-2023-50035

PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users login panel because of "password" parameter is directly used in the SQL query without any sanitization and the SQL Injection payload being executed...

9.8CVSS5.9AI score0.00629EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2023/03/13 12:0 a.m.72 views

ManageEngine ADSelfService Plus < build 6122 Command Injection

According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6122. It is, therefore, affected by a command injection vulnerability which allows a remote authenticated administrator to execute arbitrary operating OS commands a...

7.1CVSS8AI score0.70501EPSS
Exploits4References2
ATTACKERKB
ATTACKERKB
added 2022/04/18 12:0 a.m.46 views

CVE-2022-28810

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with...

7.1CVSS3.7AI score0.70501EPSS
In wildExploits4References6
Rows per page
Query Builder