Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-44547

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-12 May, 2026 | 22:30
Updated At-13 May, 2026 | 15:36
Rejected At-
Credits

ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:12 May, 2026 | 22:30
Updated At:13 May, 2026 | 15:36
Rejected At:
▼CVE Numbering Authority (CNA)
ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Affected Products
Vendor
ChurchCRM
Product
CRM
Versions
Affected
  • >= 7.2.0, < 7.3.1
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
CWECWE-304CWE-304: Missing Critical Step in Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-304
Description: CWE-304: Missing Critical Step in Authentication
Metrics
VersionBase scoreBase severityVector
3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
x_refsource_CONFIRM
https://github.com/ChurchCRM/CRM/pull/8855
x_refsource_MISC
Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/ChurchCRM/CRM/pull/8855
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
exploit
Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:12 May, 2026 | 23:16
Updated At:13 May, 2026 | 16:16

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-287Secondarysecurity-advisories@github.com
CWE-304Secondarysecurity-advisories@github.com
CWE ID: CWE-287
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-304
Type: Secondary
Source: security-advisories@github.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/ChurchCRM/CRM/pull/8855security-advisories@github.com
N/A
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9security-advisories@github.com
N/A
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/ChurchCRM/CRM/pull/8855
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/ChurchCRM/CRM/security/advisories/GHSA-cwp8-rm8g-q5c9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found

CVE-2025-68112
Matching Score-8
Assigner-GitHub, Inc.
ShareView Details
Matching Score-8
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.37% / 29.08%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 21:38
Updated-18 Dec, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChurchCRM has SQL injection in EditEventAttendees.php

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.

Action-Not Available
Vendor-churchcrmChurchCRM
Product-churchcrmCRM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-1024
Matching Score-6
Assigner-Gridware Cybersecurity
ShareView Details
Matching Score-6
Assigner-Gridware Cybersecurity
CVSS Score-8.4||HIGH
EPSS-0.27% / 18.45%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 08:34
Updated-25 Feb, 2025 | 21:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees.php EID Parameter

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.

Action-Not Available
Vendor-churchcrmChurchCRM
Product-churchcrmChurchCRM
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-0981
Matching Score-6
Assigner-Gridware Cybersecurity
ShareView Details
Matching Score-6
Assigner-Gridware Cybersecurity
CVSS Score-8.4||HIGH
EPSS-0.20% / 10.36%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 09:33
Updated-21 Feb, 2025 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

Action-Not Available
Vendor-churchcrmChurchCRM
Product-churchcrmChurchCRM
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-13292
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-9.6||CRITICAL
EPSS-1.00% / 58.41%
||
7 Day CHG~0.00%
Published-10 Aug, 2020 | 13:33
Updated-04 Aug, 2024 | 12:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In GitLab before 13.0.12, 13.1.6 and 13.2.3, it is possible to bypass E-mail verification which is required for OAuth Flow.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-287
Improper Authentication
CVE-2026-1568
Matching Score-4
Assigner-Rapid7, Inc.
ShareView Details
Matching Score-4
Assigner-Rapid7, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.14% / 3.85%
||
7 Day CHG~0.00%
Published-03 Feb, 2026 | 16:47
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rapid7 InsightVM Signature Validation Vulnerability

Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via "Security Console" installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM.

Action-Not Available
Vendor-Rapid7 LLC
Product-Vulnerability Management
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
Details not found