cbcvebase.

Churchcrm Crm vulnerabilities

64 known vulnerabilities affecting churchcrm/crm.

Total CVEs
64
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH38MEDIUM20

Vulnerabilities

Page 4 of 4
CVE-2026-40593P4MEDIUMCVSS 4.8fixed in 7.2.02026-04-18
CVE-2026-40593 [MEDIUM] CWE-79 CVE-2026-40593: ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (U ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username containing HTML attribute-breaking characters and event handlers, which execute in the browser
nvd
CVE-2025-68401P4MEDIUMCVSS 4.8fixed in 6.0.02025-12-17
CVE-2025-68401 [MEDIUM] CWE-79 CVE-2025-68401: ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform pri
nvd
CVE-2025-68275P4MEDIUMCVSS 4.8fixed in 6.5.32025-12-17
CVE-2025-68275 [MEDIUM] CWE-79 CVE-2025-68275: ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-si ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
nvd
CVE-2026-35578MEDIUMCVSS 5.3fixed in 7.0.02026-04-07
CVE-2026-35578 [MEDIUM] CWE-601 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the p
cvelistv5
Churchcrm Crm vulnerabilities | cvebase