Churchcrm Crm vulnerabilities
64 known vulnerabilities affecting churchcrm/crm.
Total CVEs
64
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH38MEDIUM20
Vulnerabilities
Page 2 of 4
CVE-2025-68110P3HIGHCVSS 8.8fixed in 6.5.32025-12-17
CVE-2025-68110 [HIGH] CWE-200 CVE-2025-68110: ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
nvd
CVE-2025-66397P3HIGHCVSS 8.3fixed in 6.5.32025-12-17
CVE-2025-66397 [HIGH] CWE-284 CVE-2025-66397: ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration,
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and i
nvd
CVE-2026-39331P3HIGHCVSS 8.1fixed in 7.1.02026-04-07
CVE-2026-39331 [HIGH] CWE-639 CVE-2026-39331: ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{familyId}/verify, /family/{familyId}/verify/url, /famil
nvd
CVE-2026-39329P3HIGHCVSS 8.8fixed in 7.1.02026-04-07
CVE-2026-39329 [HIGH] CWE-89 CVE-2026-39329: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user
nvd
CVE-2026-42289P3HIGHCVSS 8.8fixed in 7.3.22026-05-12
CVE-2026-42289 [HIGH] CWE-269 CVE-2026-42289: ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privileg
nvd
CVE-2026-39340P3HIGHCVSS 8.1fixed in 7.1.02026-04-07
CVE-2026-39340 [HIGH] CWE-89 CVE-2026-39340: ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes
nvd
CVE-2026-39341P3HIGHCVSS 8.1fixed in 7.1.02026-04-07
CVE-2026-39341 [HIGH] CWE-89 CVE-2026-39341: ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable
ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed i
nvd
CVE-2025-66396P3HIGHCVSS 7.2fixed in 6.5.32025-12-17
CVE-2025-66396 [HIGH] CWE-89 CVE-2025-66396: ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulner
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a m
nvd
CVE-2025-68111P3HIGHCVSS 7.2fixed in 6.5.32025-12-17
CVE-2025-68111 [HIGH] CWE-89 CVE-2025-68111: ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vu
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the `MissingEgive_FamID_...` POST parameter. This can lead to unauthorized dat
nvd
CVE-2026-40482P3HIGHCVSS 7.1fixed in 7.2.02026-04-18
CVE-2026-40482 [HIGH] CWE-89 CVE-2026-40482: ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
nvd
CVE-2025-67751P3HIGHCVSS 7.2fixed in 6.5.02025-12-16
CVE-2025-67751 [HIGH] CWE-89 CVE-2025-67751: ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulner
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQ
nvd
CVE-2026-39343P3HIGHCVSS 7.2fixed in 7.1.02026-04-07
CVE-2026-39343 [HIGH] CWE-89 CVE-2026-39343: ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. Thi
nvd
CVE-2025-66313P3HIGHCVSS 7.2≤ 6.2.02025-12-01
CVE-2025-66313 [HIGH] CWE-89 CVE-2025-66313: ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a tim
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and
nvd
CVE-2026-39325P3HIGHCVSS 7.2fixed in 7.1.02026-04-07
CVE-2026-39325 [HIGH] CWE-89 CVE-2026-39325: ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative users can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnera
nvd
CVE-2026-35574P3HIGHCVSS 8.7fixed in 6.5.32026-04-07
CVE-2026-35574 [HIGH] CWE-79 CVE-2026-35574: ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege es
nvd
CVE-2026-39328P3HIGHCVSS 8.9fixed in 7.1.02026-04-07
CVE-2026-39328 [HIGH] CWE-79 CVE-2026-39328: ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the
nvd
CVE-2026-40480P3HIGHCVSS 7.1fixed in 7.2.02026-04-18
CVE-2026-40480 [HIGH] CWE-639 CVE-2026-40480: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/perso
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only
nvd
CVE-2026-39333P3HIGHCVSS 8.7fixed in 7.1.02026-04-07
CVE-2026-39333 [HIGH] CWE-79 CVE-2026-39333: ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by a
nvd
CVE-2026-40581P3HIGHCVSS 8.1fixed in 7.2.02026-04-18
CVE-2026-40581 [HIGH] CWE-352 CVE-2026-40581: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated
nvd
CVE-2026-39332P3HIGHCVSS 8.7fixed in 7.1.02026-04-07
CVE-2026-39332 [HIGH] CWE-79 CVE-2026-39332: ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripti
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can st
nvd