ID:12588 - Exploit for Improper Authentication in ChurchCRM
Published: April 13, 2026
Vulnerability identifier: #VU125849
Vulnerability risk: High
CVE-ID: N/A
CWE-ID: CWE-287
Exploitation vector: Remote access
Vulnerable software:
ChurchCRM
ChurchCRM
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests in the /api/public/user/login endpoint. A remote attacker can bypass the 2FA and account lockout checks.
Remediation
Install updates from vendor's website.