[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-40582":6},{"stargazers_count":4,"fetched_at":5},5,"2026-04-18T02:14:07.519Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":33,"aliases":34,"duplicate_of":9,"upstream":35,"downstream":36,"duplicates":37,"related":38,"reserved_at":9,"published_at":39,"modified_at":39,"state":40,"summary":41,"references_raw":48,"kevs":64,"epss":9,"epss_history":65,"metrics":66,"affected":73},"CVE-2026-40582","ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.",null,[11,27],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-288","Authentication Bypass Using an Alternate Path or Channel","The product requires authentication, but the product has an alternate path or channel that does not require authentication.","weakness","Incomplete","Base",[19,23],{"id":20,"name":21,"techniques":22},"CAPEC-127","Directory Indexing",[],{"id":24,"name":25,"techniques":26},"CAPEC-665","Exploitation of Thunderbolt Protection Flaws",[],{"_key":28,"id":28,"name":29,"description":30,"type":15,"status":31,"abstraction":17,"likelihood_of_exploit":9,"capec":32},"CWE-305","Authentication Bypass by Primary Weakness","The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.","Draft",[],[],[],[],[],[],[],"2026-04-17T23:16:13.862Z","Received",{"cisa_kev":42,"cisa_ransomware":42,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":43,"severity_score":44,"severity_version":45,"severity_source":46,"severity_vector":47,"severity_status":40},false,"critical",9.1,"v4.0","cve.org","CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",[49,55,60],{"url":50,"sources":51,"tags":53},"https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8cwr-x83m-mh9x",[46,52],"nvd",[54],"X Refsource CONFIRM",{"url":56,"sources":57,"tags":58},"https://github.com/ChurchCRM/CRM/pull/8607",[46,52],[59],"X Refsource MISC",{"url":61,"sources":62,"tags":63},"https://github.com/ChurchCRM/CRM/commit/214694eb83778e1f5e52b3dfa2a99d0e965c1850",[46,52],[59],[],[],[67,70],{"source":46,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":68},{"baseScore":44,"baseSeverity":69,"vectorString":47,"impactScore":9,"exploitabilityScore":9},"CRITICAL",{"source":52,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":9,"cvss_v4_0":71},{"baseScore":44,"baseSeverity":69,"vectorString":72,"impactScore":9,"exploitabilityScore":9},"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",[74],{"ecosystem":9,"name":75,"vendor":76,"product":77,"cpe_part":78,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":79},"CRM","churchcrm","crm","a",[80],{"version":81,"is_range":82,"range_type":46,"version_start":9,"version_start_type":9,"version_end":83,"version_end_type":84,"fixed_in":9},"\u003C 7.2.0",true,"7.2.0","excluding"]