2026-04-07
2026-04-07 19:16Z
CRIT

CVE-2025-71058 — Dual: DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-71058

Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. CVSSv3.1 9.1 (CRITICAL)

CWECWE 94VNDDualTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39344 — Churchcrm Churchcrm: Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39344

ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentia CVSSv3.1 8.1 (HIGH)

CWECWE 79CWECWE 80VNDChurchcrmTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39342 — Churchcrm Churchcrm: Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39342

ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39341 — ChurchCRM: Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39341

ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.1 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39340 — Churchcrm Churchcrm: Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39340

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields ar CVSSv3.1 8.1 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-07
2026-04-07 18:16Z
CRIT

CVE-2026-39339 — Churchcrm Churchcrm: Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39339

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0. CVSSv3.1 9.1 (CRITICAL)

CWECWE 284VNDChurchcrmTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-07
2026-04-07 18:16Z
CRIT

CVE-2026-39337 — Churchcrm Churchcrm: Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39337

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0. CVSSv3.1 10.0 (CRITICAL)

CWECWE 94VNDChurchcrmTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39334 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39334

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39333 — Churchcrm Churchcrm: This constitutes a reflected XSS vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39333

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.7 (HIGH)

CWECWE 79VNDChurchcrmTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39332 — Churchcrm Churchcrm: Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39332

ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting CVSSv3.1 8.7 (HIGH)

CWECWE 79VNDChurchcrmTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39331 — Churchcrm Churchcrm: Prior to 7.1.0, an authenticated API user can modify any family record's state without

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39331

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode lack role-based access control, CVSSv3.1 8.1 (HIGH)

CWECWE 639CWECWE 863VNDChurchcrmTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39330 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39330

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39329 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39329

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39328 — Churchcrm Churchcrm: Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user CVSSv3.1 8.9 (HIGH)

CWECWE 79VNDChurchcrmTYPVulnerability
8.9
CVSS v3.1
95
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39327 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39327

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39326 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39326

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39319 — Churchcrm Churchcrm: Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39319

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-39318 — ChurchCRM: Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39318

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter an CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDChurchcrmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-35576 — Churchcrm Churchcrm: Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35576

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access t CVSSv3.1 8.7 (HIGH)

CWECWE 79VNDChurchcrmTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-07
2026-04-07 18:16Z
HIGH

CVE-2026-35575 — Churchcrm Churchcrm: Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35575

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5. CVSSv3.1 8.0 (HIGH)

CWECWE 79CWECWE 1004VNDChurchcrmTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-07
2026-04-07 18:16Z
CRIT

CVE-2026-35573 — Churchcrm Churchcrm: Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35573

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/htm CVSSv3.1 9.1 (CRITICAL)

CWECWE 434CWECWE 22VNDChurchcrmTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-07
2026-04-07 18:16Z
CRIT

CVE-2026-31272 — Mrcms Mrcms: 3.1.2 contains an access control vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31272

MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. CVSSv3.1 9.8 (CRITICAL)

CWECWE 284VNDMrcmsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-07
2026-04-07 18:16Z
CRIT

CVE-2026-31271 — megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-31271

megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-07
2026-04-07 17:16Z
CRIT

CVE-2026-4631 — The injection occurs during the authentication flow before any credential verification takes place, meaning

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4631

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification t CVSSv3.1 9.8 (CRITICAL)

CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-07
2026-04-07 17:16Z
HIGH

CVE-2026-39307 — PraisonAI: Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip"

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39307

PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory. This vulnerability is fixed in 1.5.113. CVSSv3.1 8.1 (HIGH)

CWECWE 22VNDPraisonaiTYPVulnerability
8.1
CVSS v3.1
91
Edit Score