ChurchCRM is an open-source church management system
Description
ChurchCRM is an open-source church management system
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
8 vulnerabilities from ChurchCRM
← Back to all CVEsChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
ChurchCRM is an open-source church management system
ChurchCRM is an open-source church management system
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A high-severity vulnerability has been identified in multiple ChurchCRM products, a widely used open-source church management system. This flaw, tracked as CVE-2026-24854, could allow a remote, unauthenticated attacker to compromise the application, potentially leading to a complete loss of data confidentiality, integrity, and availability. Immediate patching is required to prevent unauthorized access to sensitive member information and financial data.
Vulnerability Details
CVE-ID: CVE-2026-24854
Affected Software: ChurchCRM Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is an unauthenticated SQL injection flaw within the application's public-facing API endpoints. An unauthenticated remote attacker can exploit this by sending a specially crafted HTTP request containing malicious SQL queries to a vulnerable endpoint. Successful exploitation allows the attacker to bypass authentication, execute arbitrary code on the database server, and potentially gain full administrative control over the underlying server operating system.
Business Impact
This vulnerability presents a significant risk to the organization, classified as High severity with a CVSS score of 8.8. Successful exploitation could lead to the complete compromise of the ChurchCRM system. The potential consequences include unauthorized access to and exfiltration of sensitive Personally Identifiable Information (PII) of church members, disclosure of confidential financial and donation records, and reputational damage. An attacker could also deface the application or use the compromised server as a pivot point for further attacks against the internal network.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. System administrators should prioritize the deployment of these patches across all affected ChurchCRM instances. Following the update, it is crucial to review web server and application access logs for any signs of exploitation attempts that may have occurred prior to patching.
Proactive Monitoring: Implement enhanced monitoring on the systems running ChurchCRM. Security teams should look for suspicious activity in web server logs, such as unusual URL requests containing SQL keywords (e.g.,
UNION,SELECT,SLEEP). Monitor for unexpected outbound network connections from the server and any unauthorized changes to files within the web application's directory.Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date of February 1, 2026, there is no known public proof-of-concept exploit code, and there are no reports of this vulnerability being actively exploited in the wild. However, given the high severity and relative ease of exploitation for this type of flaw, it is highly probable that threat actors will develop and begin using exploits in the near future.
Analyst Recommendation
Due to the high CVSS score of 8.8 and the critical nature of the data managed by ChurchCRM, this vulnerability requires immediate attention. Organizations must prioritize applying the vendor-supplied patches to all affected systems without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion and a high-value target for attackers. If patching is delayed, the compensating controls listed above should be implemented as an urgent temporary measure.