High severity8.8NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-39318

Description

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. A user has to be authenticated. For ManageGroups privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the Field parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.

Affected products

Churchcrm/Churchcrm
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Range: <=7.0.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ChurchCRM/CRM/security/advisories/GHSA-j3vj-59vv-h4rcnvdExploitVendor Advisory
github.com/ChurchCRM/CRM/security/advisories/GHSA-8r53-w4r6-w62cnvdNot Applicable

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000