VYPR
High severity8.8NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-39318

CVE-2026-39318

Description

ChurchCRM is an open-source church management system. Versions prior to 7.1.0 have an SQL injection vulnerability in the endpoints /GroupPropsFormRowOps.php, /PersonCustomFieldsRowOps.php, and /FamilyCustomFieldsRowOps.php. A user has to be authenticated. For ManageGroups privileges have to be enabled and for the other two endpoints the attack has to be executed by an administrative user. These users can inject arbitrary SQL statements through the Field parameter and thus modify tables from the database. This vulnerability is fixed in 7.1.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*range: <=7.0.5
    • (no CPE)range: <7.1.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.