Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ChurchCRM — Vulnerabilities & Security Advisories 68

Browse all 68 CVE security advisories affecting ChurchCRM. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ChurchCRM is an open-source church management system designed to handle member data, donations, and group organization. Its extensive history of 68 recorded Common Vulnerabilities and Exposures highlights significant security deficiencies, primarily stemming from inadequate input validation and authentication controls. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often exacerbated by improper access control mechanisms that allow privilege escalation. These flaws frequently enable unauthenticated attackers to execute arbitrary code or extract sensitive organizational data. While the platform serves a niche administrative function, its security posture has been critically compromised by repeated failures to patch known issues. The accumulation of these defects suggests systemic neglect in code review and dependency management, posing substantial risks to institutions relying on the software for confidential member information and financial records.

Top products by ChurchCRM: CRM ChurchCRM
HighGHSA-86132026-04-18
security: migrate family delete to API endpoints (#8613) · ChurchCRM/CRM@3936162 · GitHub
High2026-04-18
security: block no-permission users + fix IDOR on person API (#8616) · ChurchCRM/CRM@28ea7a2 · GitHub
High2026-04-18
security: fix SQLi in FinancialService + harden API login (#8607) · ChurchCRM/CRM@214694e · GitHub
High2026-04-18
security: fix SQLi in FinancialService + harden API login by DawoudIO · Pull Request #8607 · ChurchCRM/CRM · GitHub
High2026-04-18
security: block no-permission users + fix IDOR on person API by DawoudIO · Pull Request #8616 · ChurchCRM/CRM · GitHub
Critical2026-04-18
security: validate extracted images in backup restore (#8610) · ChurchCRM/CRM@68be1d1 · GitHub
High2026-04-18
security: validate extracted images in backup restore by DawoudIO · Pull Request #8610 · ChurchCRM/CRM · GitHub
MediumCVE-2025-404832026-04-18
Stored XSS in PledgeEditor.php via Donation Comment Field · Advisory · ChurchCRM/CRM · GitHub
Medium2026-04-18
Stored XSS in UserEditor.php via Login Name Field · Advisory · ChurchCRM/CRM · GitHub
High2026-04-18
security: fix SQL injection in PledgeEditor queries (#8609) · ChurchCRM/CRM@b3da72a · GitHub
CriticalCVE-2025-405822026-04-18
Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout · Advisory · ChurchCRM/CRM ·
CriticalCVE-2026-404842026-04-18
Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function · Advisory · ChurchCRM/
High2026-04-18
Missing Object-Level Authorization / IDOR in `/api/person/{personId}` · Advisory · ChurchCRM/CRM · GitHub
High2026-04-18
Redesign EditSelf permission: proper self-service portal · Issue #8617 · ChurchCRM/CRM
MediumCVE-2024-404852026-04-18
Username Enumeration via Differential Response in Public Login API · Advisory · ChurchCRM/CRM · GitHub
High2026-04-18
Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion · Advisory · ChurchCRM/CRM · Gi
High2026-04-10
Multiple XSS · Advisory · ChurchCRM/CRM · GitHub
Critical2026-04-10
SQL injection in GroupPropsFormRowOps.php & PersonCustomFieldsRowOps.php & FamilyCustomFieldsRowOps.php · Advisory · Chu
High2026-04-08
SQL Injection in MemberRoleChange.php · Advisory · ChurchCRM/CRM · GitHub
High2026-04-08
Stored XSS in PersonView.php via Facebook Field Attribute Injection · Advisory · ChurchCRM/CRM · GitHub

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with ChurchCRM. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.