Support Us — Your donation helps us keep running

Goal: 1000 CNY,Raised: 1000 CNY

100.0%
Donate Now

CRM — Vulnerabilities & Security Advisories 78

All 78 CVE vulnerabilities found in CRM, with AI-generated Chinese analysis, references, and POCs.

Vendor: oroinc

CVE IDTitleCVSSSeverityPaused
CVE-2026-40593 ChurchCRM: Stored XSS in UserEditor.php via Login Name Field CWE-79 4.8 Medium2026-04-18
CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion CWE-352 8.1 High2026-04-17
CVE-2026-40485 ChurchCRM: Username Enumeration via Differential Response in Public Login API CWE-307 5.3 Medium2026-04-17
CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function CWE-269 9.1 Critical2026-04-17
CVE-2026-40483 ChurchCRM: Stored XSS in PledgeEditor.php via Donation Comment Field CWE-79 5.4 Medium2026-04-17
CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout CWE-288 9.8AICriticalAI2026-04-17
CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}` CWE-639 6.5AIMediumAI2026-04-17
CVE-2026-40482 ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}` CWE-89 8.8AIHighAI2026-04-17
CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php CWE-601 5.4 -2026-04-13
CVE-2026-39941 ChurchCRM has an XSS vulnerability CWE-79 6.1AIMediumAI2026-04-09
CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard CWE-94 10.0 Critical2026-04-07
CVE-2026-39319 ChurchCRM has a Second Order SQLI via FundRaiserEditor.php CWE-89 8.8 High2026-04-07
CVE-2026-39344 Reflected XSS the login page through the 'username' parameter CWE-80 6.1AIMediumAI2026-04-07
CVE-2026-39343 ChurchCRM has a SQL Injection in Event Type Editor (Admin) CWE-89 7.2 High2026-04-07
CVE-2026-39342 ChurchCRM has a SQL injection searchwhat parameter via QueryView.php CWE-89 8.8AIHighAI2026-04-07
CVE-2026-39341 SQL injection in ChurchCRM.0 CWE-89 8.1 High2026-04-07
CVE-2026-39340 ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution CWE-89 8.1 High2026-04-07
CVE-2026-39339 ChurchCRM has an API Authentication Bypass CWE-284 9.1 Critical2026-04-07
CVE-2026-39338 ChurchCRM has Blind XSS via Global Search – Administrative Cookie Session Exfiltration CWE-79 5.4AIMediumAI2026-04-07
CVE-2026-39336 ChurchCRM has Stored XSS from unescaped config values in HTML attributes CWE-79 6.1 Medium2026-04-07
CVE-2026-39334 ChurchCRM has a Blind SQL injection in SettingsIndividual.php CWE-89 8.8 High2026-04-07
CVE-2026-39333 ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php CWE-79 8.7 High2026-04-07
CVE-2026-39332 ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php CWE-79 8.7 High2026-04-07
CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families CWE-639 8.1 High2026-04-07
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php CWE-89 8.8 High2026-04-07
CVE-2026-39329 ChurchCRM has a Blind SQL injection in EventNames.php CWE-89 8.8 High2026-04-07
CVE-2026-39328 ChurchCRM has Stored XSS in Social Profile Fields CWE-79 8.9 High2026-04-07
CVE-2026-39327 ChurchCRM has a SQL injection in MemberRoleChange.php CWE-89 8.8 High2026-04-07
CVE-2026-39326 ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php CWE-89 8.8 High2026-04-07
CVE-2026-39325 ChurchCRM has a Blind SQL injection in SettingsUser.php CWE-89 7.2 High2026-04-07

All 78 known CVE vulnerabilities affecting CRM with full Chinese analysis, references, and POCs where available.