CRITICAL SeverityCVSS 3.19.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2026-44547

Last updated May 12, 2026 · Published May 12, 2026

Description

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release therefore remains exploitable by the PoC published with the original advisory. This vulnerability is fixed in 7.3.1.

Affected products

1 listed

ChurchCRM:CRM

Mappings

CWE

CWE-287CWE-304

CAPEC

None listed.

Research

AuthenticationA threat-focused guide to authentication, covering attack paths, design pitfalls, and concrete defenses from…

Guides

JWT Security Best PracticesWhat to validate, rotate, and avoid in real systems.
OAuth 2.0 Security Best PracticesCommon pitfalls in PKCE, tokens, and redirect handling.

Training

Authentication PatternsOAuth 2.1, passkeys, WebAuthn, and JWTs - modern identity for modern apps.

CVE-2026-44547

Description

Affected products

Mappings

Related