Crm

This hub aggregates every CVE we track for Crm, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Crm.

• CVE-2026-11456Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection7.3Jun 7, 2026
• CVE-2026-44548ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php)8.1May 12, 2026
• CVE-2026-44547ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.29.6May 12, 2026
• CVE-2026-42288ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD10.0May 12, 2026
• CVE-2026-42289ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation8.8May 12, 2026
• CVE-2026-40593ChurchCRM: Stored XSS in UserEditor.php via Login Name Field4.8Apr 18, 2026
• CVE-2026-40581ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion8.1Apr 17, 2026
• CVE-2026-40485ChurchCRM: Username Enumeration via Differential Response in Public Login API5.3Apr 17, 2026
• CVE-2026-40484ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function9.1Apr 17, 2026
• CVE-2026-40483ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field5.4Apr 17, 2026
• CVE-2026-39941ChurchCRM has an XSS vulnerability6.1Apr 9, 2026
• CVE-2026-39337ChurchCRM Affected by Unauthenticated RCE in Install Wizard10.0Apr 7, 2026
• CVE-2026-39319ChurchCRM has a Second Order SQLI via FundRaiserEditor.php8.8Apr 7, 2026
• CVE-2026-39344Reflected XSS the login page through the 'username' parameter8.1Apr 7, 2026
• CVE-2026-39343ChurchCRM has a SQL Injection in Event Type Editor (Admin)7.2Apr 7, 2026