Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

ChurchCRM — Vulnerabilities & Security Advisories 72

Browse all 72 CVE security advisories affecting ChurchCRM. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ChurchCRM is an open-source church management system designed to handle member data, donations, and group organization. Its extensive history of 68 recorded Common Vulnerabilities and Exposures highlights significant security deficiencies, primarily stemming from inadequate input validation and authentication controls. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often exacerbated by improper access control mechanisms that allow privilege escalation. These flaws frequently enable unauthenticated attackers to execute arbitrary code or extract sensitive organizational data. While the platform serves a niche administrative function, its security posture has been critically compromised by repeated failures to patch known issues. The accumulation of these defects suggests systemic neglect in code review and dependency management, posing substantial risks to institutions relying on the software for confidential member information and financial records.

Top products by ChurchCRM: CRM ChurchCRM
CVE IDTitleCVSSSeverityPublished
CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard — CRMCWE-94 10.0 Critical2025-12-17
CVE-2025-67751 ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix — CRMCWE-89 7.2 High2025-12-16
CVE-2025-67874 ChurchCRM has plaintext password return in response — CRMCWE-204 8.1AIHighAI2025-12-16
CVE-2025-66313 ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter — CRMCWE-89 7.7AIHighAI2025-12-01
CVE-2025-1135 SQL Injection in ChurchCRM CurrentFundraiser Parameter via BatchWinnerEntry.php — ChurchCRMCWE-89 7.2 -2025-02-19
CVE-2025-1134 SQL Injection in ChurchCRM CurrentFundraiser Parameter via DonatedItemEditor.php — ChurchCRMCWE-89 7.2 -2025-02-19
CVE-2025-1133 SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php — ChurchCRMCWE-89 7.2 -2025-02-19
CVE-2025-1132 SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php — ChurchCRMCWE-89 5.9 -2025-02-19
CVE-2025-1024 Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees.php EID Parameter — ChurchCRMCWE-287 4.8 -2025-02-19
CVE-2025-1023 SQL Injection in ChurchCRM newCountName Parameter via EditEventTypes.php — ChurchCRMCWE-89 7.5 -2025-02-18
CVE-2025-0981 Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field — ChurchCRMCWE-287 4.8 -2025-02-18
CVE-2024-39304 ChurchCRM SQL Injection Vulnerability — CRMCWE-89 8.8 High2024-07-26

This page lists every published CVE security advisory associated with ChurchCRM. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.