High severity8.8NVD Advisory· Published Apr 7, 2026· Updated Apr 10, 2026

CVE-2026-39330

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

Affected products

Churchcrm/Churchcrm
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
Range: <7.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/ChurchCRM/CRM/security/advisories/GHSA-xq86-jh52-728gnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000