Churchcrm Crm vulnerabilities
64 known vulnerabilities affecting churchcrm/crm.
Total CVEs
64
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH38MEDIUM20
Vulnerabilities
Page 1 of 4
CVE-2025-62521P2CRITICALCVSS 9.8PoCfixed in 7.1.02025-12-17
CVE-2025-62521 [CRITICAL] CWE-94 CVE-2025-62521: ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The vulnerability exists in `setup/routes/set
nvd
CVE-2026-39339P2CRITICALCVSS 9.1PoCfixed in 7.1.02026-04-07
CVE-2026-39339 [CRITICAL] CWE-284 CVE-2026-39339: ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication byp
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure o
nvd
CVE-2024-39304P2HIGHCVSS 8.8PoCfixed in 5.9.22024-07-26
CVE-2024-39304 [HIGH] CWE-89 CVE-2024-39304: ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inad
nvd
CVE-2025-68109P3HIGHCVSS 7.2PoCfixed in 6.5.32025-12-17
CVE-2025-68109 [HIGH] CWE-78 CVE-2025-68109: ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Resto
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows
nvd
CVE-2026-39337P2CRITICALCVSS 10.0fixed in 7.3.22026-04-07
CVE-2026-39337 [CRITICAL] CWE-94 CVE-2026-39337: ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication re
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. T
nvd
CVE-2026-40582P2CRITICALCVSS 9.1v>= 7.2.0, < 7.3.12026-04-18
CVE-2026-40582 [CRITICAL] CWE-288 CVE-2026-40582: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/us
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's passw
nvd
CVE-2025-68112P3HIGHCVSS 8.8fixed in 6.5.32025-12-17
CVE-2025-68112 [HIGH] CWE-89 CVE-2025-68112: ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vu
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to
nvd
CVE-2025-67877P3HIGHCVSS 8.8fixed in 6.5.32025-12-17
CVE-2025-67877 [HIGH] CWE-89 CVE-2025-67877: ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection v
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the `InputUtils` class, the `PersonAddress` parameter
nvd
CVE-2026-40484P3CRITICALCVSS 9.1fixed in 7.2.02026-04-18
CVE-2026-40484 [CRITICAL] CWE-269 CVE-2026-40484: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backu
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory(), which performs no file extension filtering. An authenticated administrator c
nvd
CVE-2026-35573P3CRITICALCVSS 9.1fixed in 6.5.32026-04-07
CVE-2026-35573 [CRITICAL] CWE-22 CVE-2026-35573: ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/Restore
nvd
CVE-2026-39318P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39318 [HIGH] CWE-89 CVE-2026-39318: ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack h
nvd
CVE-2025-66395P3HIGHCVSS 8.8fixed in 6.5.32025-12-17
CVE-2025-66395 [HIGH] CWE-89 CVE-2025-66395: ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulner
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL
nvd
CVE-2026-39334P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39334 [HIGH] CWE-89 CVE-2026-39334: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the
nvd
CVE-2025-68400P3HIGHCVSS 8.8fixed in 6.5.32025-12-17
CVE-2025-68400 [HIGH] CWE-89 CVE-2025-68400: ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the le
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenti
nvd
CVE-2026-39327P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39327 [HIGH] CWE-89 CVE-2026-39327: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the
nvd
CVE-2026-39330P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39330 [HIGH] CWE-89 CVE-2026-39330: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract a
nvd
CVE-2026-39319P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39319 [HIGH] CWE-89 CVE-2026-39319: ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection v
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extra
nvd
CVE-2026-39326P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39326 [HIGH] CWE-89 CVE-2026-39326: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the datab
nvd
CVE-2026-24854P3HIGHCVSS 8.8fixed in 6.7.22026-01-30
CVE-2026-24854 [HIGH] CWE-89 CVE-2026-24854: ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoi
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue.
nvd
CVE-2026-39342P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39342 [HIGH] CWE-89 CVE-2026-39342: ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via Q
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0.
nvd
1 / 4Next →