Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-71058 — Dual: DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating
Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39344 — Churchcrm Churchcrm: Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login
ChurchCRM is an open-source church management system. Prior to 7.1.0, there is a Reflected Cross-Site Scripting (XSS) vulnerability on the login page, which is caused by the lack of sanitization or encoding of the username parameter received from the URL. The username parameter value is directly displayed in the login page input element without filter, allowing attackers to insert malicious JavaScript scripts. If successful, script can be executed on the client side, potentia CVSSv3.1 8.1 (HIGH)
CVE-2026-39342 — Churchcrm Churchcrm: Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39341 — ChurchCRM: Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an
ChurchCRM is an open-source church management system. Prior to 7.1.0, the application is vulnerable to time-based SQL injection due to an improper input validation. Endpoint Reports/ConfirmReportEmail.php?familyId= is not correctly sanitising user input, specifically, the sanitised input is not used to create the SQL query. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.1 (HIGH)
CVE-2026-39340 — Churchcrm Churchcrm: Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), which strips HTML only. User-supplied values from the Name and Description fields ar CVSSv3.1 8.1 (HIGH)
CVE-2026-39339 — Churchcrm Churchcrm: Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere in the request URL, leading to complete exposure of church member data and system information. This vulnerability is fixed in 7.1.0. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-39337 — Churchcrm Churchcrm: Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows
ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix for CVE-2025-62521. This vulnerability is fixed in 7.1.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-39334 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39333 — Churchcrm Churchcrm: This constitutes a reflected XSS vulnerability.
ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a reflected XSS vulnerability. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.7 (HIGH)
CVE-2026-39332 — Churchcrm Churchcrm: Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting CVSSv3.1 8.7 (HIGH)
CVE-2026-39331 — Churchcrm Churchcrm: Prior to 7.1.0, an authenticated API user can modify any family record's state without
ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the {familyId} parameter in requests, regardless of whether they possess the required EditRecords privilege. /family/{familyId}/verify, /family/{familyId}/verify/url, /family/{familyId}/verify/now, /family/{familyId}/activate/{status}, and /family/{familyId}/geocode lack role-based access control, CVSSv3.1 8.1 (HIGH)
CVE-2026-39330 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39329 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM.
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39328 — Churchcrm Churchcrm: Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. Due to a 50-character field limit, the payload is distributed across all three fields and chains their onfocus event handlers to execute in sequence. When any user CVSSv3.1 8.9 (HIGH)
CVE-2026-39327 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39326 — Churchcrm Churchcrm: Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39319 — Churchcrm Churchcrm: Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint
ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2026-39318 — ChurchCRM: Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints `/GroupPropsFormRowOps.php`, `/PersonCustomFieldsRowOps.php`, and `/FamilyCustomFieldsRowOps.php`. A user has to be authenticated. For `ManageGroups` privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the `Field` parameter an CVSSv3.1 8.8 (HIGH)
CVE-2026-35576 — Churchcrm Churchcrm: Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the
ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently stored and executed when other users view the affected person profile or access t CVSSv3.1 8.7 (HIGH)
CVE-2026-35575 — Churchcrm Churchcrm: Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially leading to full administrative account takeover. This vulnerability is fixed in 6.5. CVSSv3.1 8.0 (HIGH)
CVE-2026-35573 — Churchcrm Churchcrm: Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is user-controlled and allows uploading files with arbitrary names to /var/www/htm CVSSv3.1 9.1 (CRITICAL)
CVE-2026-31272 — Mrcms Mrcms: 3.1.2 contains an access control vulnerability.
MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-31271 — megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality.
megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-4631 — The injection occurs during the authentication flow before any credential verification takes place, meaning
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification t CVSSv3.1 9.8 (CRITICAL)
CVE-2026-39307 — PraisonAI: Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip"
PraisonAI is a multi-agent teams system. Prior to 1.5.113, The PraisonAI templates installation feature is vulnerable to a "Zip Slip" Arbitrary File Write attack. When downloading and extracting template archives from external sources (e.g., GitHub), the application uses Python's zipfile.extractall() without verifying if the files within the archive resolve outside of the intended extraction directory. This vulnerability is fixed in 1.5.113. CVSSv3.1 8.1 (HIGH)