Churchcrm Crm vulnerabilities
64 known vulnerabilities affecting churchcrm/crm.
Total CVEs
64
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH38MEDIUM20
Vulnerabilities
Page 3 of 4
CVE-2026-44548P3HIGHCVSS 8.1fixed in 7.3.22026-05-12
CVE-2026-44548 [HIGH] CWE-352 CVE-2026-44548: ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navig
ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records, including cascaded property and record-to-property assignments
nvd
CVE-2026-35575P3HIGHCVSS 8.0fixed in 6.5.32026-04-07
CVE-2026-35575 [HIGH] CWE-79 CVE-2026-35575: ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the admi
nvd
CVE-2026-35572P3MEDIUMCVSS 6.0fixed in 6.5.32026-04-07
CVE-2026-35572 [MEDIUM] CWE-918 CVE-2026-35572: ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger serv
ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to arbitrary hosts (SSRF) by supplying a crafted URL in the Referer request header. The server subsequently makes an outbound request to the attacker-controlled domain, confirmed via OAST. This vulnerability is fixed in 6.5
nvd
CVE-2026-39344P3HIGHCVSS 8.1fixed in 7.1.02026-04-07
CVE-2026-39344 [HIGH] CWE-79 CVE-2026-39344: ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Sit
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter,
nvd
CVE-2026-40485P3MEDIUMCVSS 5.3fixed in 7.2.02026-04-18
CVE-2026-40485 [MEDIUM] CWE-204 CVE-2026-40485: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API log
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An unauthenticated attacker can exploit this difference t
nvd
CVE-2026-35534P3HIGHCVSS 7.6fixed in 7.1.02026-04-07
CVE-2026-35534 [HIGH] CWE-79 CVE-2026-35534: ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText() as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote characters allowing an attacker to break out of the href attribut
nvd
CVE-2025-67874P3MEDIUMCVSS 6.5fixed in 6.5.02025-12-16
CVE-2025-67874 [MEDIUM] CWE-204 CVE-2025-67874: ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), e
nvd
CVE-2026-39940P4MEDIUMCVSS 5.3fixed in 7.0.02026-04-13
CVE-2026-39940 [MEDIUM] CWE-601 CVE-2026-39940: ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used
nvd
CVE-2026-32880P4MEDIUMCVSS 6.4fixed in 7.0.22026-03-20
CVE-2026-32880 [MEDIUM] CWE-79 CVE-2026-32880: ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading to XSS. This issue has been fixed in version 7.0.2.
nvd
CVE-2026-39941P4MEDIUMCVSS 6.1fixed in 7.1.02026-04-09
CVE-2026-39941 [MEDIUM] CWE-79 CVE-2026-39941: ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows at
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via a the EName and EDesc parameters in EditEventAttendees.php to be rendered in a page without proper output encoding, enabling arbitrary JavaScript execution in victims' browsers. This vulnerability is fixed in 7.1.0.
nvd
CVE-2026-39335P4MEDIUMCVSS 6.1fixed in 7.1.12026-04-07
CVE-2026-39335 [MEDIUM] CWE-79 CVE-2026-39335: ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group r
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily an admin-to-admin stored XSS path when writable entity fields are abused. This vulnerability is fixed in 7.1.1.
nvd
CVE-2026-39336P4MEDIUMCVSS 6.1fixed in 7.1.02026-04-07
CVE-2026-39336 [MEDIUM] CWE-79 CVE-2026-39336: ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields a
nvd
CVE-2026-24855P4MEDIUMCVSS 5.4fixed in 6.7.22026-01-30
CVE-2026-24855 [MEDIUM] CWE-79 CVE-2026-24855: ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Si
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin),
nvd
CVE-2026-26059P4MEDIUMCVSS 5.4fixed in 6.8.12026-02-19
CVE-2026-26059 [MEDIUM] CWE-79 CVE-2026-26059: ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible fo
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
nvd
CVE-2025-67876P4MEDIUMCVSS 5.4≤ 6.4.02025-12-17
CVE-2025-67876 [MEDIUM] CWE-79 CVE-2025-67876: ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerabil
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including
nvd
CVE-2025-67875P4MEDIUMCVSS 5.4fixed in 6.5.32025-12-17
CVE-2025-67875 [MEDIUM] CWE-79 CVE-2025-67875: ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in
ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The pa
nvd
CVE-2026-39338P4MEDIUMCVSS 6.1fixed in 7.1.02026-04-07
CVE-2026-39338 [MEDIUM] CWE-79 CVE-2026-39338: ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site S
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's DOM. Although the application ultimately returns an HT
nvd
CVE-2026-40483P4MEDIUMCVSS 5.4fixed in 7.2.02026-04-18
CVE-2026-40483 [MEDIUM] CWE-79 CVE-2026-40483: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, wh
nvd
CVE-2025-68399P4MEDIUMCVSS 5.4fixed in 6.5.42025-12-17
CVE-2025-68399 [MEDIUM] CWE-79 CVE-2025-68399: ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify
nvd
CVE-2023-38766P4MEDIUMCVSS 5.4fixed in 7.0.02023-08-08
CVE-2023-38766 [MEDIUM] CWE-79 CVE-2023-38766: Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute ar
Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute arbitrary code via a crafted payload to the PersonView.php component.
nvd