9.4
CVE-2026-39342 - ChurchCRM has a SQL injection searchwhat parameter via QueryView.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability isβ¦
8.1
CVE-2026-39341 - SQL injection in ChurchCRM.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not useβ¦
8.1
CVE-2026-39340 - ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People β Person Properties / Family Properties). The vulnerability was introduced wheβ¦
9.1
CVE-2026-39339 - ChurchCRM has an API Authentication Bypass
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywherβ¦
8.6
CVE-2026-39338 - ChurchCRM has Blind XSS via Global Search β Administrative Cookie Session Exfiltration
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's Dβ¦
6.1
CVE-2026-39336 - ChurchCRM has Stored XSS from unescaped config values in HTML attributes
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adminβ¦
8.8
CVE-2026-39334 - ChurchCRM has a Blind SQL injection in SettingsIndividual.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via theβ¦
8.7
CVE-2026-39333 - ChurchCRM has Reflected XSS in DateStart/DateEnd parameters in FindFundRaiser.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious Uβ¦
8.7
CVE-2026-39332 - ChurchCRM has Reflected Cross-Site Scripting (XSS) in GeoPage.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocuβ¦
8.1
CVE-2026-39331 - ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spamβ¦
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{β¦