Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ChurchCRM — Vulnerabilities & Security Advisories 68

Browse all 68 CVE security advisories affecting ChurchCRM. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ChurchCRM is an open-source church management system designed to handle member data, donations, and group organization. Its extensive history of 68 recorded Common Vulnerabilities and Exposures highlights significant security deficiencies, primarily stemming from inadequate input validation and authentication controls. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often exacerbated by improper access control mechanisms that allow privilege escalation. These flaws frequently enable unauthenticated attackers to execute arbitrary code or extract sensitive organizational data. While the platform serves a niche administrative function, its security posture has been critically compromised by repeated failures to patch known issues. The accumulation of these defects suggests systemic neglect in code review and dependency management, posing substantial risks to institutions relying on the software for confidential member information and financial records.

Top products by ChurchCRM: CRM ChurchCRM
CVE IDTitleCVSSSeverityPublished
CVE-2026-40593 ChurchCRM: Stored XSS in UserEditor.php via Login Name Field — CRMCWE-79 4.8 Medium2026-04-18
CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion — CRMCWE-352 8.1 High2026-04-17
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API — CRMCWE-307 5.3 Medium2026-04-17
CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function — CRMCWE-269 9.1 Critical2026-04-17
CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field — CRMCWE-79 5.4 Medium2026-04-17
CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout — CRMCWE-288 9.8AICriticalAI2026-04-17
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` — CRMCWE-639 6.5AIMediumAI2026-04-17
CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}` — CRMCWE-89 8.8AIHighAI2026-04-17
CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php — CRMCWE-601 5.4 -2026-04-13
CVE-2026-39941 ChurchCRM has an XSS vulnerability — CRMCWE-79 6.1AIMediumAI2026-04-09
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard — CRMCWE-94 10.0 Critical2026-04-07
CVE-2026-39319 ChurchCRM has a Second Order SQLI via FundRaiserEditor.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39344 Reflected XSS the login page through the 'username' parameter — CRMCWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39343 ChurchCRM has a SQL Injection in Event Type Editor (Admin) — CRMCWE-89 7.2 High2026-04-07
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php — CRMCWE-89 8.8AIHighAI2026-04-07
CVE-2026-39341 SQL injection in ChurchCRM.0 — CRMCWE-89 8.1 High2026-04-07
CVE-2026-39340 ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution — CRMCWE-89 8.1 High2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass — CRMCWE-284 9.1 Critical2026-04-07
CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration — CRMCWE-79 5.4AIMediumAI2026-04-07
CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes — CRMCWE-79 6.1 Medium2026-04-07
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39333 ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php — CRMCWE-79 8.7 High2026-04-07
CVE-2026-39332 ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php — CRMCWE-79 8.7 High2026-04-07
CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families — CRMCWE-639 8.1 High2026-04-07
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39328 ChurchCRM has Stored XSS in Social Profile Fields — CRMCWE-79 8.9 High2026-04-07
CVE-2026-39327 ChurchCRM has a SQL injection in MemberRoleChange.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39326 ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39325 ChurchCRM has a Blind SQL injection in SettingsUser.php — CRMCWE-89 7.2 High2026-04-07

This page lists every published CVE security advisory associated with ChurchCRM. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.