Description
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.
Published: 2026-04-07
Score: n/a
EPSS: n/a
KEV: No
Impact: Data Compromise via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows authenticated users with Manage Properties permission to execute arbitrary SQL commands by injecting payloads into the Name and Description fields of PropertyTypeEditor.php. Because the input is sanitized only with strip_tags() before direct concatenation into queries, SQL injection occurs. Attackers can exfiltrate sensitive data, modify records, or delete data. The injected data can persist in the database and appear on multiple pages without output encoding, enabling cross‑page data exposure.

Affected Systems

ChurchCRM, version prior to 7.1.0. The affected product is the ChurchCRM CRM component as listed by the CNA. The fix was introduced in version 7.1.0.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Authentication and Manage Properties permission are required, implying the threat vector is local/internal to an authenticated user. No public exploit is documented, but the high severity, persistence of injected data, and potential for data exfiltration and modification make the risk significant for organizations running vulnerable versions.

Generated by OpenCVE AI on April 7, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later.

Generated by OpenCVE AI on April 7, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

No reference.

History

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description This CVE is a duplicate of another CVE. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39326. Reason: This candidate is a duplicate of CVE-2026-39326. Notes: All CVE users should reference CVE-2026-39326 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.another CVE.

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Wed, 08 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Title ChurchCRM has a SQL Injection in PropertyTypeEditor.php with Cross-Page Data Exposure
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. This vulnerability is fixed in 7.1.0. This CVE is a duplicate of another CVE.

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a SQL Injection in PropertyTypeEditor.php with Cross-Page Data Exposure
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: REJECTED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T17:19:47.880Z

Reserved: 2026-04-06T19:31:07.266Z

Link: CVE-2026-39323

cve-icon Vulnrichment

Updated:

cve-icon NVD

Status : Rejected

Published: 2026-04-07T18:16:43.240

Modified: 2026-04-09T18:17:01.807

Link: CVE-2026-39323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:57Z

Weaknesses

No weakness.