Description
ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.
Published: 2026-04-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary SQL execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerable parameter named EN_tyid in ChurchCRM’s EditEventTypes.php is concatenated into a SQL query without validation, enabling a classic SQL Injection flaw classified as CWE-89. An administrator can inject malicious SQL and gain unrestricted read, write, or delete access to the underlying database, potentially exposing sensitive church member data or corrupting records.

Affected Systems

All installations of ChurchCRM before version 7.1.0 are affected, but the flaw can only be exploited through the administrative event type editing interface, meaning only users with administrator privileges on the system can trigger the injection.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating high severity, while the EPSS score of less than 1% suggests limited current exploitation attempts and it is not listed in the CISA KEV catalog. Based on the description, the attack vector is local within an authenticated administrative session; the attacker must possess administrator rights to supply the unsanitized parameter, but once achieved, the impact is comprehensive database compromise.

Generated by OpenCVE AI on April 10, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.1.0 or newer.
  • Ensure administrative accounts are protected with multi‑factor authentication to reduce the chance of unauthorized admin access.
  • Review database permissions to limit the application’s ability to perform destructive actions if an injection were to occur.

Generated by OpenCVE AI on April 10, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Churchcrm
Churchcrm churchcrm
Vendors & Products Churchcrm
Churchcrm churchcrm

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in the EditEventTypes.php file, which is only accessible to administrators. The EN_tyid POST parameter is not sanitized before being used in a SQL query, allowing an administrator to execute arbitrary SQL commands directly against the database. This vulnerability is fixed in 7.1.0.
Title ChurchCRM has a SQL Injection in Event Type Editor (Admin)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Churchcrm Churchcrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T19:59:04.899Z

Reserved: 2026-04-06T20:28:38.394Z

Link: CVE-2026-39343

cve-icon Vulnrichment

Updated: 2026-04-07T19:11:35.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T18:16:46.437

Modified: 2026-04-10T19:51:15.203

Link: CVE-2026-39343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:26:27Z

Weaknesses