CVE-2026-39318
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. A user has to be authenticated. For ManageGroups privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the Field parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ChurchCRM | CRM | < 7.1.0 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62c
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.