| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-39339 | ChurchCRM has an API Authentication Bypass | ChurchCRM | CRM | Critical | 9.1 | 2026-04-07 17:58:50 | Deep Dive |
| CVE-2026-39338 | ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration | ChurchCRM | CRM | - | - | 2026-04-07 17:57:30 | Deep Dive |
| CVE-2026-39336 | ChurchCRM has Stored XSS from unescaped config values in HTML attributes | ChurchCRM | CRM | Medium | 6.1 | 2026-04-07 17:40:55 | Deep Dive |
| CVE-2026-39334 | ChurchCRM has a Blind SQL injection in SettingsIndividual.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:38:45 | Deep Dive |
| CVE-2026-39333 | ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php | ChurchCRM | CRM | High | 8.7 | 2026-04-07 17:38:03 | Deep Dive |
| CVE-2026-39332 | ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php | ChurchCRM | CRM | High | 8.7 | 2026-04-07 17:37:24 | Deep Dive |
| CVE-2026-39331 | ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families | ChurchCRM | CRM | High | 8.1 | 2026-04-07 17:36:42 | Deep Dive |
| CVE-2026-39330 | ChurchCRM has a Blind SQL injection in PropertyAssign.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:34:30 | Deep Dive |
| CVE-2026-39329 | ChurchCRM has a Blind SQL injection in EventNames.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:33:30 | Deep Dive |
| CVE-2026-39328 | ChurchCRM has Stored XSS in Social Profile Fields | ChurchCRM | CRM | High | 8.9 | 2026-04-07 17:32:41 | Deep Dive |
| CVE-2026-39327 | ChurchCRM has a SQL injection in MemberRoleChange.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:31:37 | Deep Dive |
| CVE-2026-39326 | ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:30:58 | Deep Dive |
| CVE-2026-39325 | ChurchCRM has a Blind SQL injection in SettingsUser.php | ChurchCRM | CRM | High | 7.2 | 2026-04-07 17:29:20 | Deep Dive |
| CVE-2026-39318 | ChurchCRM has a DDL SQL Injection in GroupPropsFormRowOps.php | ChurchCRM | CRM | High | 8.8 | 2026-04-07 17:27:51 | Deep Dive |
| CVE-2026-39335 | ChurchCRM has Stored XSS via Unescaped data-* Attributes in Group/Family Controls | ChurchCRM | CRM | Medium | 6.1 | 2026-04-07 17:23:09 | Deep Dive |
| CVE-2026-35576 | ChurchCRM has Stored Cross-Site Scripting (XSS) in Person Properties via PrintView.php | ChurchCRM | CRM | High | 8.7 | 2026-04-07 17:11:25 | Deep Dive |
| CVE-2026-35575 | ChurchCRM has Stored XSS in Group Name | ChurchCRM | CRM | High | 8.0 | 2026-04-07 17:08:43 | Deep Dive |
| CVE-2026-35572 | SSRF via Referer header in ChurchCRM allows server-side HTTP/HTTPS requests to arbitrary hosts | ChurchCRM | CRM | - | - | 2026-04-07 17:07:58 | Deep Dive |
| CVE-2026-35573 | ChurchCRM has a Path traversal leads to RCE | ChurchCRM | CRM | Critical | 9.1 | 2026-04-07 17:06:07 | Deep Dive |
| CVE-2026-35574 | ChurchCRM has a Stored XSS in Person Profile - Add a Note | ChurchCRM | CRM | High | 7.3 | 2026-04-07 17:04:21 | Deep Dive |