Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Patch
AI Analysis

Impact

A blind SQL injection flaw exists in the PropertyAssign.php endpoint of ChurchCRM, allowing certain authenticated users to inject arbitrary SQL through the Value parameter. The vulnerability can be used to read sensitive data or modify the database, potentially leaking confidential church records or altering membership information. It is a classic input validation weakness listed as CWE‑89, which can lead to significant confidentiality and integrity violations.

Affected Systems

ChurchCRM version 7.0.x and earlier are affected. The vulnerability is present in the ChurchCRM open‑source church management system before the 7.1.0 release. Only users with the Manage Groups & Roles role and the permission to edit records can exploit the flaw.

Risk and Exploitability

The CVSS v3 score of 8.8 indicates high severity. The EPSS score is below 1%, suggesting that current exploitation attempts are rare, and the vulnerability is not in CISA’s KEV catalog. The likely attack path requires an authenticated session with the appropriate role; an attacker must first log in to the web interface and then send a crafted request to PropertyAssign.php. With this access, the SQL injection can be leveraged to read or alter database contents.

Generated by OpenCVE AI on April 10, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or later

Generated by OpenCVE AI on April 10, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) can inject arbitrary SQL statements through the Value parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a Blind SQL injection in PropertyAssign.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:09:08.271Z

Reserved: 2026-04-06T20:28:38.392Z

Link: CVE-2026-39330

cve-icon Vulnrichment

Updated: 2026-04-07T18:08:50.169Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:44.327

Modified: 2026-04-10T20:55:50.500

Link: CVE-2026-39330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:36Z

Weaknesses