Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CRM — Vulnerabilities & Security Advisories 82

All 82 CVE vulnerabilities found in CRM, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known vulnerabilities for the Product: crm software category, focusing on Common Weakness Enumerations (CWE) and associated Common Vulnerabilities and Exposures (CVE) entries. It collects data regarding security flaws, including injection attacks, broken access control, cross-site scripting, and authentication failures, covering records from 2018 through the current year. Here, you can track a vendor's advisories to stay informed about recent patches and security updates, understand a weakness class by viewing detailed technical descriptions and potential impact scenarios, and look up a product's vulnerability history to assess long-term security posture and remediation trends. The information is organized to help security professionals, developers, and IT administrators quickly identify risks specific to CRM implementations, evaluate the severity of disclosed issues, and prioritize mitigation efforts based on verified data sources. By consolidating this information, the page aims to provide a clear, factual overview of the threat landscape for CRM software, enabling more informed decision-making regarding system upgrades, configuration hardening, and third-party risk management without resorting to speculative analysis or unverified claims.

Vendor: oroinc

CVE IDTitleCVSSSeverityPublished
CVE-2026-44548 ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php) CWE-352 8.1 High2026-05-12
CVE-2026-44547 ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2 CWE-287 9.6 Critical2026-05-12
CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD CWE-94 10.0 Critical2026-05-12
CVE-2026-42289 ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation CWE-269 8.8 High2026-05-12
CVE-2026-40593 ChurchCRM: Stored XSS in UserEditor.php via Login Name Field CWE-79 4.8 Medium2026-04-18
CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion CWE-352 8.1 High2026-04-17
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API CWE-307 5.3 Medium2026-04-17
CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function CWE-269 9.1 Critical2026-04-17
CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field CWE-79 5.4 Medium2026-04-17
CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout CWE-288 9.8AICriticalAI2026-04-17
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` CWE-639 6.5AIMediumAI2026-04-17
CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}` CWE-89 8.8AIHighAI2026-04-17
CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php CWE-601 5.4 -2026-04-13
CVE-2026-39941 ChurchCRM has an XSS vulnerability CWE-79 6.1AIMediumAI2026-04-09
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard CWE-94 10.0 Critical2026-04-07
CVE-2026-39319 ChurchCRM has a Second Order SQLI via FundRaiserEditor.php CWE-89 8.8 High2026-04-07
CVE-2026-39344 Reflected XSS the login page through the 'username' parameter CWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39343 ChurchCRM has a SQL Injection in Event Type Editor (Admin) CWE-89 7.2 High2026-04-07
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php CWE-89 8.8AIHighAI2026-04-07
CVE-2026-39341 SQL injection in ChurchCRM.0 CWE-89 8.1 High2026-04-07
CVE-2026-39340 ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution CWE-89 8.1 High2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass CWE-284 9.1 Critical2026-04-07
CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration CWE-79 5.4AIMediumAI2026-04-07
CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes CWE-79 6.1 Medium2026-04-07
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php CWE-89 8.8 High2026-04-07
CVE-2026-39333 ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php CWE-79 8.7 High2026-04-07
CVE-2026-39332 ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php CWE-79 8.7 High2026-04-07
CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families CWE-639 8.1 High2026-04-07
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php CWE-89 8.8 High2026-04-07
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php CWE-89 8.8 High2026-04-07

All 82 known CVE vulnerabilities affecting CRM with full Chinese analysis, references, and POCs where available.