CVE ID :CVE-2026-42289 Published : May 12, 2026, 10:23 p.m. | 57 minutes ago Description :ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token validation. An unauthenticated attacker can craft a malicious HTML page that, when visited by an authenticated administrator, silently elevates any low-privilege user to full administrator or creates a new admin backdoor account without the victim's knowledge This vulnerability is fixed in 7.3.2. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...