Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ChurchCRM — Vulnerabilities & Security Advisories 68

Browse all 68 CVE security advisories affecting ChurchCRM. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ChurchCRM is an open-source church management system designed to handle member data, donations, and group organization. Its extensive history of 68 recorded Common Vulnerabilities and Exposures highlights significant security deficiencies, primarily stemming from inadequate input validation and authentication controls. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often exacerbated by improper access control mechanisms that allow privilege escalation. These flaws frequently enable unauthenticated attackers to execute arbitrary code or extract sensitive organizational data. While the platform serves a niche administrative function, its security posture has been critically compromised by repeated failures to patch known issues. The accumulation of these defects suggests systemic neglect in code review and dependency management, posing substantial risks to institutions relying on the software for confidential member information and financial records.

Top products by ChurchCRM: CRM ChurchCRM
CVE IDTitleCVSSSeverityPublished
CVE-2026-39318 ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php — CRMCWE-89 8.8 High2026-04-07
CVE-2026-39335 ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls — CRMCWE-79 6.1 Medium2026-04-07
CVE-2026-35576 ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php — CRMCWE-79 8.7 High2026-04-07
CVE-2026-35575 ChurchCRM has Stored XSS in Group Name — CRMCWE-79 8.0 High2026-04-07
CVE-2026-35572 SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts — CRMCWE-918 7.1AIHighAI2026-04-07
CVE-2026-35573 ChurchCRM has a Path traversal leads to RCE — CRMCWE-22 9.1 Critical2026-04-07
CVE-2026-35574 ChurchCRM has a Stored XSS in Person Profile - Add a Note — CRMCWE-79 7.3 High2026-04-07
CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection — CRMCWE-79 7.6 High2026-04-07
CVE-2026-32880 ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php — CRMCWE-79 6.4 Medium2026-03-20
CVE-2026-26059 ChurchCRM has Stored Cross-Site Scripting (XSS) in GroupEditor.php — CRMCWE-79 5.4 -2026-02-19
CVE-2026-24855 ChurchCRM has Stored Cross-Site Scripting (XSS) in Create Events in Church Calendar, Leading to Account Takeover — CRMCWE-79 5.4AIMediumAI2026-01-30
CVE-2026-24854 Church CRM has SQL injection in PaddleNumEditor.php — CRMCWE-89 8.8 High2026-01-30
CVE-2025-68275 ChurchCRM vulnerable to Stored XSS - Group name > Person Listing — CRMCWE-79 5.4AIMediumAI2025-12-17
CVE-2025-68401 ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and account takeover — CRMCWE-79 7.6AIHighAI2025-12-17
CVE-2025-68400 ChurchCRM vulnerable to time-based blind SQL Injection in ConfirmReportEmail.php — CRMCWE-89 8.8AIHighAI2025-12-17
CVE-2025-68399 ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php — CRMCWE-79 5.4AIMediumAI2025-12-17
CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php — CRMCWE-89 9.6 Critical2025-12-17
CVE-2025-68111 ChurchCRM has SQL Injection in eGive Import Feature — CRMCWE-89 7.2 High2025-12-17
CVE-2025-68110 ChurchCRM discloses database information on error message — CRMCWE-200 10.0 Critical2025-12-17
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality — CRMCWE-78 9.1 Critical2025-12-17
CVE-2025-67877 ChurchCRM SQL Injection Vulnerability — CRMCWE-89 8.8AIHighAI2025-12-17
CVE-2025-67876 ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking — CRMCWE-79 5.4AIMediumAI2025-12-17
CVE-2025-67875 ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking — CRMCWE-79 7.6AIHighAI2025-12-17
CVE-2025-66397 ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control — CRMCWE-284 8.3 High2025-12-17
CVE-2025-66396 ChurchCRM has SQL Injection in User Editor via `type` Parameter Key — CRMCWE-89 7.2 High2025-12-17
CVE-2025-66395 SQL Injection in Event List via `WhichType` Parameter — CRMCWE-89 8.8 High2025-12-17
CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard — CRMCWE-94 10.0 Critical2025-12-17
CVE-2025-67751 ChurchCRM has SQL Injection in Event Editor via `EN_tyid` Parameter caused by an Incomplete Fix — CRMCWE-89 7.2 High2025-12-16
CVE-2025-67874 ChurchCRM has plaintext password return in response — CRMCWE-204 8.1AIHighAI2025-12-16
CVE-2025-66313 ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter — CRMCWE-89 7.7AIHighAI2025-12-01

This page lists every published CVE security advisory associated with ChurchCRM. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.