ChurchCRM versions prior to 7.2.0 have multiple security vulnerabilities that could allow unauthorized access and data exposure.

🚨 EUVD-2026-23593 📊 Score: 7.1/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0. 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23593 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23589 📊 Score: 7.1/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces ca... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23589 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23601 📊 Score: 9.1/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account l... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23601 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23595 📊 Score: 5.4/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permission... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23595 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23597 📊 Score: 9.1/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopy... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23597 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23599 📊 Score: 5.3/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-17 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for vali... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23599 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23621 📊 Score: 4.8/10 (CVSS v3.1) 📦 Product: crm 🏢 Vendor: ChurchCRM 📅 Updated: 2026-04-18 📝 ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applying htmlspecialchars(). An administrator can save a username co... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23621 #cybersecurity #infosec #euvd #cve #vulnerability