Unrated severityNVD Advisory· Published Jul 26, 2024· Updated Aug 2, 2024

ChurchCRM SQL Injection Vulnerability

CVE-2024-39304

Description

ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to /GetText.php. Version 5.9.2 patches the issue.

Affected products

Churchcrm/Crmv5
Range: < 5.9.2

Patches

014f0b29d110

https://github.com/churchcrm/crmvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08mitrex_refsource_MISC
github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.003
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000