Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
Published: 2026-04-06
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Data Theft and Modification
Action: Immediate Patch
AI Analysis

Impact

A time-based blind SQL injection exists in the PropertyAssign.php endpoint of ChurchCRM. The flaw allows an attacker possessing authenticated access with Edit Records or Manage Groups permissions to execute arbitrary SQL statements. As a result, credentials, personal identifiable information, and configuration secrets can be read or altered, leading to potential data breach and system compromise.

Affected Systems

ChurchCRM versions prior to 7.1.0 are affected. Users running the open-source church management system who have the Edit Records or Manage Groups role can exploit the vulnerability. The vulnerability exists in the PropertyAssign.php module, which handles property assignments within the application.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and while EPSS data is unavailable, the absence in KEV suggests it has not been widely exploited yet. The flaw requires authenticated privileged users; therefore, internal threat actors or compromised accounts pose the primary risk. Exploitation requires a timing attack and careful observation of response delays, which can be difficult for automated attacks but not impossible for an attacker experienced with blind SQL injection.

Generated by OpenCVE AI on April 6, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later where the issue is fixed
  • If an immediate upgrade is not possible, remove Edit Records and Manage Groups permissions from users until the patch is applied
  • Disable or restrict access to the PropertyAssign.php endpoint if feasible

Generated by OpenCVE AI on April 6, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description This CVE is a duplicate of another CVE. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39330. Reason: This candidate is a duplicate of CVE-2026-39330. Notes: All CVE users should reference CVE-2026-39330 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title Time Based Blind SQL Injection via Property Value in ChurchCRM
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0. This CVE is a duplicate of another CVE.

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.
Title Time Based Blind SQL Injection via Property Value in ChurchCRM
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:52:13.843Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34402

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-06T16:16:35.560

Modified: 2026-04-09T18:16:59.240

Link: CVE-2026-34402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:17Z

Weaknesses

No weakness.