CVE-2026-39334 - Vulnerability Details

- ChurchCRM has a Blind SQL injection in SettingsIndividual.php

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

Published: 2026-04-07

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A blind SQL injection is present in the /SettingsIndividual.php endpoint of ChurchCRM. Exploitation is achieved by injecting arbitrary SQL statements through the type array parameter via its index. Authenticated users who do not possess any special privileges can use this flaw to read sensitive data from the database or modify existing records, resulting in both confidentiality and integrity loss. The injection is blind, meaning it does not return data directly in the response, but still allows a determined attacker to extract information through other side‑channel techniques.

Affected Systems

ChurchCRM (open‑source church management system) version 7.0.5 is affected. The vulnerability was discovered in the CRM application and has been addressed in version 7.1.0. Users running older releases are therefore at risk.

Risk and Exploitability

The CVSS score is 8.8, classifying the flaw as high severity. EPSS indicates a low probability of exploitation (less than 1 %). The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Since the flaw requires authentication and does not grant any special privileges, the attacker must first obtain legitimate user credentials or compromise an existing account. Once authenticated, the user can target the vulnerable endpoint to conduct arbitrary SQL operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ChurchCRM

CRM

affected

Version	Status	Constraints
`< 7.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Churchcrm

81%

Version	Status	Scheme	Platform
`[0,7.1.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ChurchCRM to version 7.1.0 or later to eliminate the vulnerability.
If an immediate upgrade is not possible, limit access to the /SettingsIndividual.php endpoint so that only users with the necessary privileges can reach it, or disable the endpoint entirely until a patch is applied.
Apply least‑privilege principles to web account management and monitor for unusual database activity that may indicate exploitation of the injection point.

Generated by OpenCVE AI on April 10, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8g53-72jr-39w6

History

Fri, 10 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:churchcrm:churchcrm::::::::

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Churchcrm Churchcrm churchcrm
Vendors & Products		Churchcrm Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /SettingsIndividual.php in ChurchCRM 7.0.5. Authenticated users without any specific privileges can inject arbitrary SQL statements through the type array parameter via the index and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.
Title		ChurchCRM has a Blind SQL injection in SettingsIndividual.php
Weaknesses		CWE-89
References		https://github.com/ChurchCRM/CRM/security/advisories/GHSA-8g53-72jr-39w6
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Churchcrm Churchcrm

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T17:38:45.436Z

Updated: 2026-04-07T18:08:28.055Z

Reserved: 2026-04-06T20:28:38.393Z

Link: CVE-2026-39334

Vulnrichment

Updated: 2026-04-07T18:08:19.167Z

NVD

Status : Analyzed

Published: 2026-04-07T18:16:45.140

Modified: 2026-04-10T20:57:47.553

Link: CVE-2026-39334

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T14:26:32Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object