Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential data theft via SQL injection
Action: Patch immediately
AI Analysis

Impact

ChurchCRM, an open‑source church management system, contains a flaw in QueryView.php that allows an authenticated user to inject SQL through the searchwhat parameter when using QueryID=15. An attacker who can access Data/Reports > Query Menu and the Advanced Search query can manipulate statements, which may expose sensitive data, alter or delete database records, or otherwise compromise the integrity of the system. The weakness is a classic SQL Injection (CWE‑89).

Affected Systems

The vulnerability affects all ChurchCRM deployments prior to version 7.1.0. Users who have legitimate access to the relevant reports and advanced search functionality are at risk, regardless of the total user base. There is no narrower version scope reported.

Risk and Exploitability

The CVSS score of 9.4 indicates a critical impact, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, further indicating that public exploitation has not been observed. Attack requires authentication and specific report permissions, so a successful exploit would be limited to users with those privileges. Nonetheless, the potential for confidential data exposure or database tampering warrants immediate action.

Generated by OpenCVE AI on April 10, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or newer
  • If an upgrade is not possible, remove or restrict access to the Data/Reports > Query Menu and the Advanced Search query to prevent the vulnerable path from being accessed
  • Deploy a web application firewall rule that blocks injection patterns in the searchwhat parameter
  • Monitor application logs for attempts to supply unsanitized input in the query parameter

Generated by OpenCVE AI on April 10, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, the searchwhat parameter via QueryView.php with the QueryID=15 is vulnerable to a SQL injection. The authenticated user requires access to Data/Reports > Query Menu and access to the "Advanced Search" query. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a SQL injection searchwhat parameter via QueryView.php
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:03:35.431Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39342

cve-icon Vulnrichment

Updated: 2026-04-09T16:02:24.543Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:46.297

Modified: 2026-04-10T19:52:09.813

Link: CVE-2026-39342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:28Z

Weaknesses