Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-39334 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
Published: 2026-04-07
Score: n/a
EPSS: n/a
KEV: No
Impact: Data exfiltration via SQL injection by authenticated users
Action: Patch immediately
AI Analysis

Impact

A vulnerable array key in ChurchCRM's SettingsIndividual.php allows an attacker who has authenticated to inject arbitrary SQL. The unsanitized POST parameter is directly incorporated into SQL queries, enabling extraction of sensitive database contents. The flaw is rated CVSS 8.8, indicating high risk to confidentiality and integrity.

Affected Systems

All installations of ChurchCRM older than version 7.1.0 are affected. The issue exists in the SettingsIndividual.php module within the ChurchCRM:CRM product. Administrators using version 7.0.x or earlier must be aware that users with valid credentials can leverage the flaw to pull confidential data from the database.

Risk and Exploitability

Because authentication is required, attackers need either compromised credentials or privileged user accounts. The high CVSS score signals a serious threat, but the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Nevertheless, the attack path is straightforward once access is obtained, making rapid patching a priority.

Generated by OpenCVE AI on April 7, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ChurchCRM 7.1.0 or later to apply the sanitization fix
  • Re-authenticate all users to invalidate potentially hijacked sessions
  • Restrict database permissions to limit query capabilities for application users
  • Monitor logs for anomalous queries indicating exploitation attempts

Generated by OpenCVE AI on April 7, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description This CVE is a duplicate of another CVE. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39334. Reason: This candidate is a duplicate of CVE-2026-39334. Notes: All CVE users should reference CVE-2026-39334 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title ChurchCRM has a SQL Injection via Unsanitized Array Keys in SettingsIndividual.php
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0. This CVE is a duplicate of another CVE.

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a SQL Injection via Unsanitized Array Keys in SettingsIndividual.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T17:18:27.227Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39317

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-07T18:16:42.667

Modified: 2026-04-09T18:17:01.600

Link: CVE-2026-39317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:00Z

Weaknesses

No weakness.