Description
EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling unauthorized database manipulation
Action: Immediate Patch
AI Analysis

Impact

EcclesiaCRM versions prior to 8.0.0 contain a SQL injection flaw in v2/templates/query/queryview.php. The flaw originates from unsanitized "custom" and "value" parameters, allowing an attacker to inject arbitrary SQL. This can lead to data disclosure, modification, or potential privilege escalation within the application.

Affected Systems

The vulnerability affects EcclesiaCRM installations running any version before 8.0.0. No additional version specifics are listed, so any release older than 8.0.0 is considered at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by accessing the vulnerable endpoint through web requests with crafted parameters, potentially achieving full database compromise. The path requires only the ability to send HTTP requests to the application, making it readily exploitable in accessible environments.

Generated by OpenCVE AI on April 7, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply version 8.0.0 or later of EcclesiaCRM to remove the flaw.
  • If an immediate update is not possible, restrict or block external access to the /v2/templates/query/queryview.php endpoint and enforce strict input validation on "custom" and "value" parameters.

Generated by OpenCVE AI on April 7, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Phili67
Phili67 ecclesiacrm
Vendors & Products Phili67
Phili67 ecclesiacrm

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.
Title EcclesiaCRM has a Critical SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phili67 Ecclesiacrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:25:50.870Z

Reserved: 2026-04-01T17:26:21.134Z

Link: CVE-2026-35184

cve-icon Vulnrichment

Updated: 2026-04-07T19:25:45.711Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T20:16:26.880

Modified: 2026-04-07T20:16:27.643

Link: CVE-2026-35184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:29Z

Weaknesses