|
1
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorizatio…
|
CWE-639
CWE-862
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-40480
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQ…
|
CWE-89
SQL Injection
|
CVE-2026-40482
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3
|
5.4 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via html…
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-40483
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4
|
5.3 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint (/api/public/user/login) returns distinguishable HTTP response codes based on whether a…
|
CWE-204
CWE-307
Response Discrepancy Information Exposure
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-40485
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5
|
9.1 |
CRITICAL
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ direct…
|
CWE-269
CWE-434
CWE-552
Improper Privilege Management
Unrestricted Upload of File with Dangerous Type
Files or Directories Accessible to External Parties
|
CVE-2026-40484
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
6
|
8.1 |
HIGH
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records an…
|
CWE-352
CWE-862
Origin Validation Error
Missing Authorization
|
CVE-2026-40581
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, byp…
|
CWE-288
CWE-305
Authentication Bypass Using an Alternate Path or Channel
Authentication Bypass by Primary Weakness
|
CVE-2026-40582
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
8
|
4.8 |
MEDIUM
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the User Editor (UserEditor.php) renders stored usernames directly into an HTML input value attribute without applyin…
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-40593
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
9
|
- |
|
-
|
-
|
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allo…
|
CWE-121
CWE-787
Stack-based Buffer Overflow
Out-of-bounds Write
|
CVE-2026-40489
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
10
|
6.8 |
MEDIUM
Network
|
-
|
-
|
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versio…
|
CWE-200
Information Exposure
|
CVE-2026-40490
|
2026-04-21 03:59 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
