threat
engine
.sh
Back
·
··:··
Home
/
Product
/
churchcrm
Product
churchcrm
110 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-39941
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an XSS vulnerability allows attacker-supplied input sent via
6.1
MEDIUM
CVE-2026-39344
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerabilit
8.1
HIGH
CVE-2026-39343
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.p
7.2
HIGH
CVE-2026-39342
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=
8.8
HIGH
CVE-2026-39341
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection du
8.1
HIGH
CVE-2026-39340
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.p
8.1
HIGH
CVE-2026-39339
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM
9.1
CRITICAL
CVE-2026-39338
<= 7.0.5
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists
6.1
MEDIUM
CVE-2026-39337
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerabil
10.0
CRITICAL
CVE-2026-39336
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Re
6.1
MEDIUM
CVE-2026-39335
<= 7.1.1
ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family edito
6.1
MEDIUM
CVE-2026-39334
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /Se
8.8
HIGH
CVE-2026-39333
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input
8.7
HIGH
CVE-2026-39332
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoP
8.7
HIGH
CVE-2026-39331
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's sta
8.1
HIGH
CVE-2026-39330
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /Pr
8.8
HIGH
CVE-2026-39329
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames
8.8
HIGH
CVE-2026-39328
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in Church
8.9
HIGH
CVE-2026-39327
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /Me
8.8
HIGH
CVE-2026-39326
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /Pr
8.8
HIGH
CVE-2026-39325
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /Se
7.2
HIGH
CVE-2026-39319
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the
8.8
HIGH
CVE-2026-39318
<= 7.0.5
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints
8.8
HIGH
CVE-2026-35576
< 7.0.0
ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in
8.7
HIGH
CVE-2026-35575
< 6.5.3
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in
8.0
HIGH
CVE-2026-35573
< 6.5.3
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore
9.1
CRITICAL
CVE-2026-35572
< 6.5.3
ChurchCRM is an open-source church management system. Prior to 6.5.3, it is possible to trigger server-side HTTP/HTTPS requests to
6.0
MEDIUM
CVE-2026-35574
< 6.5.3
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchC
7.3
HIGH
CVE-2026-35534
< 7.1.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in Person
7.6
HIGH
CVE-2026-32880
< 7.0.2
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system setting
6.4
MEDIUM
CVE-2026-26059
< 6.8.2
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with p
5.4
MEDIUM
CVE-2026-24855
< 6.7.2
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerabili
5.4
MEDIUM
CVE-2026-24854
< 6.7.2
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint
/PaddleNumEditor.php
in C
8.8
HIGH
CVE-2025-68401
< 6.0.0
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without
4.8
MEDIUM
CVE-2025-68400
< 6.5.3
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/Confir
8.8
HIGH
CVE-2025-68399
< 6.5.4
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vul
5.4
MEDIUM
CVE-2025-68275
< 6.5.3
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on
4.8
MEDIUM
CVE-2025-68112
< 6.5.3
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Eve
9.6
CRITICAL
CVE-2025-68111
< 6.5.3
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGi
7.2
HIGH
CVE-2025-68110
< 6.5.3
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error messag
9.9
CRITICAL
CVE-2025-68109
< 6.5.3
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not vali
9.1
CRITICAL
CVE-2025-67877
< 6.5.3
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartT
8.8
HIGH
CVE-2025-67876
<= 6.4.0
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versio
5.4
MEDIUM
CVE-2025-67875
< 6.5.3
ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.
5.4
MEDIUM
CVE-2025-66397
< 6.5.3
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and
8.3
HIGH
CVE-2025-66396
< 6.5.3
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/Use
7.2
HIGH
CVE-2025-66395
< 6.5.3
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/Lis
8.8
HIGH
CVE-2025-62521
< 5.21.0
ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerab
10.0
CRITICAL
CVE-2025-67874
< 6.5.0
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords subm
6.5
MEDIUM
CVE-2025-67751
< 6.5.0
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEd
7.2
HIGH
CVE-2025-66313
<= 6.2.0
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in
7.2
HIGH
CVE-2025-11939
<= 5.18.0
A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Bac
4.7
MEDIUM
CVE-2025-11938
<= 5.18.0
A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. P
5.6
MEDIUM
CVE-2025-11529
< 5.19.0
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/
7.3
HIGH
CVE-2025-3954
all versions
A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown f
3.7
LOW
CVE-2025-1135
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a bo
7.2
HIGH
CVE-2025-1134
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boo
7.2
HIGH
CVE-2025-1133
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boo
7.2
HIGH
CVE-2025-1132
<= 5.13.0
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_ty
8.8
HIGH
CVE-2025-1024
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Refl
4.8
MEDIUM
CVE-2025-1023
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a ti
9.8
CRITICAL
CVE-2025-0981
<= 5.13.0
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cr
6.1
MEDIUM
CVE-2024-53438
all versions
EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating
9.8
CRITICAL
CVE-2024-39304
< 5.9.2
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticate
8.8
HIGH
CVE-2024-36647
all versions
A stored cross-site scripting (XSS) vulnerability in Church CRM v5.8.0 allows attackers to execute arbitrary web scripts or HTML v
5.4
MEDIUM
CVE-2024-25898
all versions
A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inse
6.1
MEDIUM
CVE-2024-25897
all versions
ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
9.8
CRITICAL
CVE-2024-25896
all versions
ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter.
5.3
MEDIUM
CVE-2024-25895
all versions
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or
6.1
MEDIUM
CVE-2024-25894
all versions
ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter.
9.8
CRITICAL
CVE-2024-25893
all versions
ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
9.1
CRITICAL
CVE-2024-25892
all versions
ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter.
8.1
HIGH
CVE-2024-25891
all versions
ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
7.5
HIGH
CVE-2020-28849
<= 4.2.1
Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sen
5.4
MEDIUM
CVE-2020-28848
all versions
CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.
8.8
HIGH
CVE-2023-38773
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volo
7.5
HIGH
CVE-2023-38771
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp parameter
7.5
HIGH
CVE-2023-38770
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter
7.5
HIGH
CVE-2023-38769
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and
7.5
HIGH
CVE-2023-38768
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID param
7.5
HIGH
CVE-2023-38767
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the 'value' and 'cus
7.5
HIGH
CVE-2023-38766
all versions
Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute arbitrary code via a crafted pay
5.4
MEDIUM
CVE-2023-38765
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth para
7.5
HIGH
CVE-2023-38764
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and p
7.5
HIGH
CVE-2023-38763
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the FundRaiserID par
6.5
MEDIUM
CVE-2023-38762
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths par
7.5
HIGH
CVE-2023-38761
all versions
Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute arbitrary code via a crafted pay
6.1
MEDIUM
CVE-2023-38760
all versions
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the role and gender
7.5
HIGH
CVE-2023-33661
all versions
Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, Report
6.1
MEDIUM
CVE-2023-31548
all versions
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to ex
5.4
MEDIUM
CVE-2023-26842
all versions
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTM
5.4
MEDIUM
CVE-2023-31699
all versions
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.
4.8
MEDIUM
CVE-2023-29842
all versions
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
8.8
HIGH
CVE-2023-26843
all versions
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTM
5.4
MEDIUM
CVE-2023-26841
all versions
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for th
6.5
MEDIUM
CVE-2023-26840
all versions
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user
5.3
MEDIUM
CVE-2023-26839
all versions
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on
4.3
MEDIUM
CVE-2023-25348
all versions
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creatin
7.8
HIGH
CVE-2023-25347
all versions
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HT
5.4
MEDIUM
CVE-2023-25346
all versions
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or
6.1
MEDIUM
CVE-2023-26855
all versions
The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables o
7.5
HIGH
CVE-2023-27059
all versions
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary we
5.4
MEDIUM
CVE-2023-24690
<= 4.5.3
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/fami
5.4
MEDIUM
CVE-2023-24686
<= 4.5.3
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a craft
4.8
MEDIUM
CVE-2023-24685
<= 4.5.3
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attenda
7.2
HIGH
CVE-2023-24684
<= 4.5.3
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php.
7.2
HIGH
CVE-2022-36137
all versions
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
4.8
MEDIUM
CVE-2022-36136
all versions
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
4.8
MEDIUM
CVE-2022-31325
all versions
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
7.2
HIGH
CVE-2021-41965
>= 2.0.0 and <= 4.4.5
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitra
8.8
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin