SB2026040984 - Multiple vulnerabilities in ChurchCRM
Published: April 9, 2026 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 vulnerabilities.
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and hijack the administrator's session.
The vulnerability exists due to cross-site scripting in the property assignment and profile rendering functionality when storing and displaying user-controlled property values on a user's profile page. A remote user can assign a specially crafted property value to another user's record to execute arbitrary script in an administrator's browser and hijack the administrator's session.
User interaction is required because the administrator must view the affected profile page, and exploitation requires permissions to edit records and manage properties and classifications.
2) SQL injection (CVE-ID: CVE-2025-68400)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in ConfirmReportEmail.php when handling the familyId parameter in requests to the legacy /Reports/ConfirmReportEmail.php endpoint. A remote attacker can send a specially crafted request to execute arbitrary SQL commands.
The endpoint remains directly reachable by URL even though it was removed from the user interface.
3) SQL injection (CVE-ID: N/A)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in QueryView.php when processing the searchstring POST parameter in stored query templates. A remote attacker can send a specially crafted POST request to execute arbitrary SQL commands.
The issue is reachable through the reporting query menu, including the default Advanced Search stored query with QueryID 15.
4) Information disclosure (CVE-ID: CVE-2025-68110)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in StatementWrapper.php when handling database errors. A remote user can trigger an uncaught database exception to disclose sensitive information.
Exposed error messages may include the database host, IP address, username, and password.
5) SQL injection (CVE-ID: N/A)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to sql injection in the QueryView.php endpoint when handling the "searchstring" and "searchwhat" parameters in requests to /churchcrm/QueryView.php?QueryID=15. A remote user can send specially crafted parameter values to disclose sensitive information.
The vulnerable endpoint is accessible with low privileges.
6) SQL injection (CVE-ID: CVE-2025-66396)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in src/UserEditor.php when processing the keys of the type POST parameter array while saving user configuration settings. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL commands.
The injected key is concatenated into SELECT and UPDATE queries, and the issue can be exploited through time-based blind SQL injection.
7) SQL injection (CVE-ID: CVE-2025-66395)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in src/ListEvents.php when processing the WhichType POST parameter while filtering events by type. A remote user can send a specially crafted POST request to execute arbitrary SQL commands.
The WhichType parameter is processed without enforcing an integer type before being concatenated into multiple SQL queries, and time-based blind SQL injection is possible.
8) SQL injection (CVE-ID: CVE-2025-68111)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in the eGive ReImport functionality in src/eGive.php when processing the MissingEgive_FamID_* POST parameter. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL queries.
Exploitation requires the eGive import flow to reach the re-import form for missing eGive IDs.
9) SQL injection (CVE-ID: N/A)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL queries.
The vulnerability exists due to SQL injection in src/EventEditor.php when handling the EID POST parameter during event editing. A remote privileged user can send a specially crafted POST request to execute arbitrary SQL queries.
Exploitation requires event management permissions associated with the isAddEvent capability.
10) SQL injection (CVE-ID: CVE-2025-68112)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in EditEventAttendees.php when handling a crafted EID parameter in POST requests. A remote user can send a specially crafted request to execute arbitrary SQL commands.
The issue affects the Event Attendee Editor functionality and does not require administrative privileges.
11) SQL injection (CVE-ID: CVE-2025-67877)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in /src/CartToFamily.php when handling the PersonAddress POST parameter in the Add to Family feature. A remote user can send a specially crafted POST request to disclose sensitive information.
Exploitation requires the Add Records permission.
12) Arbitrary file upload (CVE-ID: CVE-2025-68109)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a remote user to execute arbitrary code on the server.
The vulnerability exists due to unrestricted upload of file with dangerous type in the database restore functionality when uploading restore files. A remote privileged user can upload a web shell file and a crafted .htaccess file to execute arbitrary code on the server.
The uploaded web shell executes with the privileges of the web server user, and the impact extends beyond the application boundary.
13) Cross-site scripting (CVE-ID: CVE-2026-35575)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and steal the administrator's session cookies.
The vulnerability exists due to cross-site scripting in the admin panel group-creation feature when processing a crafted group name. A remote user can create a group with malicious JavaScript in its name to execute arbitrary JavaScript in an administrator's browser and steal the administrator's session cookies.
User interaction is required when an administrator views the page containing the crafted group name.
14) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-35572)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and cause limited integrity and availability impacts.
The vulnerability exists due to server-side request forgery (SSRF) in DonationFundEditor.php when processing a crafted Referer header. A remote privileged user can send a specially crafted request with a full URL in the Referer header to disclose sensitive information and cause limited integrity and availability impacts.
The server issues an outbound HTTP or HTTPS request to the supplied host, and other endpoints may also be affected if they share the same middleware or logging path.
15) SQL injection (CVE-ID: CVE-2026-39343)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands against the database.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in EditEventTypes.php when handling the EN_tyid POST parameter. A remote privileged user can send a specially crafted POST parameter to execute arbitrary SQL commands against the database.
The vulnerable page is only accessible to administrators.
16) SQL injection (CVE-ID: CVE-2026-39341)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to manipulate the database and disclose sensitive information.
The vulnerability exists due to SQL injection in the Reports/ConfirmReportEmail.php endpoint when handling the familyId parameter in requests. A remote user can send a specially crafted request to manipulate the database and disclose sensitive information.
Exploitation requires access to the vulnerable endpoint.
17) Improper access control (CVE-ID: CVE-2026-39339)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication and access protected API endpoints.
The vulnerability exists due to improper access control in src/ChurchCRM/Slim/Middleware/AuthMiddleware.php when handling request URIs containing "api/public". A remote attacker can send a specially crafted request with "api/public" in the URL to bypass authentication and access protected API endpoints.
This can expose church member data and system information, and some endpoints may also permit actions such as triggering background jobs or manipulating calendar resources.
18) Path traversal (CVE-ID: CVE-2026-35573)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in src/ChurchCRM/Backup/RestoreJob.php backup restore functionality when handling uploaded backup files. A remote privileged user can upload a crafted .htaccess file and then upload a php webshell to execute arbitrary code.
Exploitation overwrites Apache .htaccess configuration files to bypass PHP execution restrictions.
19) Cross-site scripting (CVE-ID: CVE-2026-35574)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in other users' browsers.
The vulnerability exists due to cross-site scripting in NoteEditor.php when processing note content. A remote user can submit a specially crafted note to execute arbitrary JavaScript code in other users' browsers.
User interaction is required when another user views the malicious note, including on a person's profile page.
20) Cross-site scripting (CVE-ID: CVE-2025-68275)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the group name field when rendering person listing pages. A remote privileged user can create a group with a specially crafted name to execute arbitrary script in a victim's browser.
User interaction is required to view the affected people listing pages.
21) Server-Side Request Forgery (SSRF) (CVE-ID: N/A)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to server-side request forgery in the referrer handling logic when processing a GET request to the Dashboard with an external referrer. A remote user can supply a crafted referrer value to cause a denial of service.
Exploitation requires the attacker to be logged in.
22) SQL injection (CVE-ID: CVE-2026-39342)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the QueryView.php searchwhat parameter when handling requests to QueryView.php with QueryID=15. A remote user can send a specially crafted request to disclose sensitive information.
Exploitation requires access to Data/Reports > Query Menu and the Advanced Search query.
23) Improper access control (CVE-ID: CVE-2025-66397)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to perform unauthorized kiosk management actions.
The vulnerability exists due to improper access control in the Kiosk Manager API endpoints when handling authenticated requests to kiosk management functions. A remote user can send crafted requests to perform unauthorized kiosk management actions.
The issue affects the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions that are intended for administrator use.
CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of script-related HTML tags in the login page username parameter handling in begin-session.php when rendering the login page with a user-supplied username query parameter. A remote attacker can send a specially crafted link to execute arbitrary script in the victim's browser.
User interaction is required to open a crafted login page URL.
25) Missing Critical Step in Authentication (CVE-ID: CVE-2026-44547)
CWE-ID: CWE-304 - Missing Critical Step in Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass two-factor authentication and account lockout to obtain an API key and access protected API routes.
The vulnerability exists due to missing critical steps in authentication in the public API login handler in src/api/routes/public/public-user.php when processing password-only login requests to /api/public/user/login. A remote user can send valid credentials to obtain an API key and access protected API routes.
The browser login path enforces two-factor authentication and lockout checks, but the API token authentication path does not re-check those controls, and demonstrated access included finance data.
Remediation
Install update from vendor's website.
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-fcw7-mmfh-7vjm
- https://github.com/advisories/GHSA-fcw7-mmfh-7vjm
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v54g-2pvg-gvp2
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-qc2c-qmw4-52fp
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-68mc-6p92-gfq6
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c4vm-87vf-hmx9
- https://github.com/advisories/GHSA-c4vm-87vf-hmx9
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-w6vg-8qhh-37jm
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
- https://github.com/advisories/GHSA-hxf4-3vhp-wqcq
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h3vq-9gr6-h9r4
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77
- https://github.com/advisories/GHSA-pqm7-g8px-9r77
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gc8q-2gw7-qj7w
- https://github.com/advisories/GHSA-gc8q-2gw7-qj7w
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-44x3-28jv-mrwq
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h2hx-p9gp-q7gr
- https://github.com/advisories/GHSA-h2hx-p9gp-q7gr
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3h69-vjff-jj5c
- https://github.com/advisories/GHSA-3h69-vjff-jj5c
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3p2-mx78-pxhc
- https://github.com/advisories/GHSA-v3p2-mx78-pxhc
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r6cr-mvr9-f6wx
- https://github.com/advisories/GHSA-r6cr-mvr9-f6wx
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cx82-8xrh-7f5c
- https://github.com/advisories/GHSA-cx82-8xrh-7f5c
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-3q97-q4hv-gxwr
- https://github.com/advisories/GHSA-3q97-q4hv-gxwr
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-m5hc-fc5q-m98g
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-7fr4-mvfm-cxfx
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-rx8c-j7x8-w3hj
- https://github.com/ChurchCRM/CRM/commit/91cfa8eb00aef724705f5e038c236c146c6cf3a6
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
- https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850