Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11702
Total
781
Critical
3315
High
3732
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-39344 | HIGH | 8.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused … | Apr 07, 2026 |
| CVE-2026-39343 | HIGH | 7.2 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. … | Apr 07, 2026 |
| CVE-2026-39342 | UNKNOWN | — | ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The … | Apr 07, 2026 |
| CVE-2026-39341 | HIGH | 8.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, The application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint … | Apr 07, 2026 |
| CVE-2026-39340 | HIGH | 8.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property … | Apr 07, 2026 |
| CVE-2026-39339 | CRITICAL | 9.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access … | Apr 07, 2026 |
| CVE-2026-39338 | UNKNOWN | — | ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM … | Apr 07, 2026 |
| CVE-2026-39337 | CRITICAL | 10.0 | ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject … | Apr 07, 2026 |
| CVE-2026-39336 | MEDIUM | 6.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person … | Apr 07, 2026 |
| CVE-2026-39335 | MEDIUM | 6.1 | ChurchCRM is an open-source church management system. Prior to 7.1.1, there is Stored XSS in group remove control and family editor state/country. This is primarily … | Apr 07, 2026 |
| CVE-2026-39334 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users … | Apr 07, 2026 |
| CVE-2026-39333 | HIGH | 8.7 | ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without … | Apr 07, 2026 |
| CVE-2026-39332 | HIGH | 8.7 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary … | Apr 07, 2026 |
| CVE-2026-39331 | HIGH | 8.1 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply … | Apr 07, 2026 |
| CVE-2026-39330 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with … | Apr 07, 2026 |
| CVE-2026-39329 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges … | Apr 07, 2026 |
| CVE-2026-39328 | HIGH | 8.9 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who … | Apr 07, 2026 |
| CVE-2026-39327 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users … | Apr 07, 2026 |
| CVE-2026-39326 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with … | Apr 07, 2026 |
| CVE-2026-39325 | HIGH | 7.2 | ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsUser.php in ChurchCRM 7.0.5. Authenticated administrative … | Apr 07, 2026 |
| CVE-2026-39324 | UNKNOWN | — | Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption … | Apr 07, 2026 |
| CVE-2026-39323 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST … | Apr 07, 2026 |
| CVE-2026-39321 | UNKNOWN | — | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login … | Apr 07, 2026 |
| CVE-2026-39319 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A … | Apr 07, 2026 |
| CVE-2026-39318 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.1.0, the GroupPropsFormRowOps.php file contains a SQL injection vulnerability. User input in the Field parameter is … | Apr 07, 2026 |