churchcrm

Top products

The 15 most recently published vulnerabilities affecting churchcrm.

• CVE-2026-44548ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php)8.1May 12, 2026
• CVE-2026-44547ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.29.6May 12, 2026
• CVE-2026-42288ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD10.0May 12, 2026
• CVE-2026-42289ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation8.8May 12, 2026
• CVE-2026-40593ChurchCRM: Stored XSS in UserEditor.php via Login Name Field4.8Apr 18, 2026
• CVE-2026-40581ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion8.1Apr 17, 2026
• CVE-2026-40485ChurchCRM: Username Enumeration via Differential Response in Public Login API5.3Apr 17, 2026
• CVE-2026-40484ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function9.1Apr 17, 2026
• CVE-2026-40483ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field5.4Apr 17, 2026
• CVE-2026-39941ChurchCRM has an XSS vulnerability6.1Apr 9, 2026
• CVE-2026-39337ChurchCRM Affected by Unauthenticated RCE in Install Wizard10.0Apr 7, 2026
• CVE-2026-39319ChurchCRM has a Second Order SQLI via FundRaiserEditor.php8.8Apr 7, 2026
• CVE-2026-39344Reflected XSS the login page through the 'username' parameter8.1Apr 7, 2026
• CVE-2026-39343ChurchCRM has a SQL Injection in Event Type Editor (Admin)7.2Apr 7, 2026
• CVE-2026-39342ChurchCRM has a SQL injection searchwhat parameter via QueryView.php8.8Apr 7, 2026