6.1
CVE-2026-39336 - ChurchCRM has Stored XSS from unescaped config values in HTML attributes
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adminโฆ
8.8
CVE-2026-39334 - ChurchCRM has a Blind SQL injection in SettingsIndividual.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via theโฆ
8.7
CVE-2026-39333 - ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious Uโฆ
8.7
CVE-2026-39332 - ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocuโฆ
8.1
CVE-2026-39331 - ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spamโฆ
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{โฆ
8.8
CVE-2026-39330 - ChurchCRM has a Blind SQL injection in PropertyAssign.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL stโฆ
8.8
CVE-2026-39329 - ChurchCRM has a Blind SQL injection in EventNames.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reachesโฆ
8.9
CVE-2026-39328 - ChurchCRM has Stored XSS in Social Profile Fields
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and โฆ
8.8
CVE-2026-39327 - ChurchCRM has a SQL injection in MemberRoleChange.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parโฆ
8.8
CVE-2026-39326 - ChurchCRM has a Blind SQL injection in PropertyTypeEditor.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parametersโฆ