6.3
CVE-2026-39321 - Parse Server has a login timing side-channel reveals user existence
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the seβ¦
10
CVE-2026-39337 - ChurchCRM Affected by Unauthenticated RCE in Install Wizard
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromβ¦
8.8
CVE-2026-39319 - ChurchCRM has a Second Order SQLI via FundRaiserEditor.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the β¦
8.1
CVE-2026-39344 - Reflected XSS the login page through the 'username' parameter
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly diβ¦
7.2
CVE-2026-39343 - ChurchCRM has a SQL Injection in Event Type Editor (Admin)
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute aβ¦
9.4
CVE-2026-39342 - ChurchCRM has a SQL injection searchwhat parameter via QueryView.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability isβ¦
8.1
CVE-2026-39341 - SQL injection in ChurchCRM.0
ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not useβ¦
8.1
CVE-2026-39340 - ChurchCRM has a SQL Injection in PropertyTypeEditor.php via Incorrect Sanitizer Substitution
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People β Person Properties / Family Properties). The vulnerability was introduced wheβ¦
9.1
CVE-2026-39339 - ChurchCRM has an API Authentication Bypass
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywherβ¦
8.6
CVE-2026-39338 - ChurchCRM has Blind XSS via Global Search β Administrative Cookie Session Exfiltration
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it within the browser's Dβ¦