Churchcrm

Churchcrm

115 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2026-39327

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:31:37
  • Zuletzt bearbeitet 10.04.2026 20:56:43

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject...

8.8

CVE-2026-39326

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:30:57
  • Zuletzt bearbeitet 10.04.2026 20:58:33

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL state...

7.2

CVE-2026-39325

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:29:19
  • Zuletzt bearbeitet 10.04.2026 20:57:09

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the ty...

8.8

CVE-2026-39318

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:27:51
  • Zuletzt bearbeitet 15.04.2026 20:20:24

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be aut...

6.1

CVE-2026-39335

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:23:08
  • Zuletzt bearbeitet 09.04.2026 18:46:14

ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulner...

8.7

CVE-2026-35576

  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:11:24
  • Zuletzt bearbeitet 09.04.2026 18:46:54

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 an...

8

CVE-2026-35575

  • EPSS 0.04%
  • Veröffentlicht 07.04.2026 17:08:43
  • Zuletzt bearbeitet 09.04.2026 18:47:25

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript t...

6

CVE-2026-35572

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:07:57
  • Zuletzt bearbeitet 10.04.2026 20:58:52

ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbo...

9.1

CVE-2026-35573

Exploit
  • EPSS 0.26%
  • Veröffentlicht 07.04.2026 17:06:07
  • Zuletzt bearbeitet 10.04.2026 20:59:20

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwr...

8.7

CVE-2026-35574

Exploit
  • EPSS 0.03%
  • Veröffentlicht 07.04.2026 17:04:21
  • Zuletzt bearbeitet 16.04.2026 17:49:56

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the con...