Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CRM — Vulnerabilities & Security Advisories 82

All 82 CVE vulnerabilities found in CRM, with AI-generated Chinese analysis, references, and POCs.

Vendor: oroinc

CVE IDTitleCVSSSeverityPublished
CVE-2026-44548 ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php) CWE-352 8.1 High2026-05-12
CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2 CWE-287 9.6 Critical2026-05-12
CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD CWE-94 10.0 Critical2026-05-12
CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation CWE-269 8.8 High2026-05-12
CVE-2026-40593 ChurchCRM: Stored XSS in UserEditor.php via Login Name Field CWE-79 4.8 Medium2026-04-18
CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion CWE-352 8.1 High2026-04-17
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API CWE-307 5.3 Medium2026-04-17
CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function CWE-269 9.1 Critical2026-04-17
CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field CWE-79 5.4 Medium2026-04-17
CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout CWE-288 9.8AICriticalAI2026-04-17
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` CWE-639 6.5AIMediumAI2026-04-17
CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}` CWE-89 8.8AIHighAI2026-04-17
CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php CWE-601 5.4 -2026-04-13
CVE-2026-39941 ChurchCRM has an XSS vulnerability CWE-79 6.1AIMediumAI2026-04-09
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard CWE-94 10.0 Critical2026-04-07
CVE-2026-39319 ChurchCRM has a Second Order SQLI via FundRaiserEditor.php CWE-89 8.8 High2026-04-07
CVE-2026-39344 Reflected XSS the login page through the 'username' parameter CWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39343 ChurchCRM has a SQL Injection in Event Type Editor (Admin) CWE-89 7.2 High2026-04-07
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php CWE-89 8.8AIHighAI2026-04-07
CVE-2026-39341 SQL injection in ChurchCRM.0 CWE-89 8.1 High2026-04-07
CVE-2026-39340 ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution CWE-89 8.1 High2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass CWE-284 9.1 Critical2026-04-07
CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration CWE-79 5.4AIMediumAI2026-04-07
CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes CWE-79 6.1 Medium2026-04-07
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php CWE-89 8.8 High2026-04-07
CVE-2026-39333 ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php CWE-79 8.7 High2026-04-07
CVE-2026-39332 ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php CWE-79 8.7 High2026-04-07
CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families CWE-639 8.1 High2026-04-07
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php CWE-89 8.8 High2026-04-07
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php CWE-89 8.8 High2026-04-07

All 82 known CVE vulnerabilities affecting CRM with full Chinese analysis, references, and POCs where available.