Description
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
Published: 2026-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the /api/families/byCheckNumber/{scanString} endpoint of ChurchCRM, where user‑supplied input is concatenated into a raw SQL query without proper sanitization. This allows an authenticated attacker to manipulate the SQL statement, potentially extracting, modifying, or deleting data from the database. The flaw is a classic SQL injection (CWE‑89) that compromises confidentiality, integrity, and availability of financial records.

Affected Systems

ChurchCRM (CRM) versions prior to 7.2.0 are affected. The issue was identified in the FinancialService::getMemberByScanString() method and is fixed in release 7.2.0.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for authenticated users. Since no EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of immediate exploitation appears moderate, though the authenticated nature of the endpoint means any user with access can potentially leverage the flaw. Ingress would involve interacting with the vulnerable API endpoint after authentication, making mitigation a priority.

Generated by OpenCVE AI on April 18, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ChurchCRM to version 7.2.0 or later, which contains the fixed query handling logic.
  • Confirm that all API requests to /api/families/byCheckNumber/{scanString} require proper authentication before processing the parameter.
  • Apply input validation or parameterized queries for any custom extensions or modules that interact with the database to prevent future injection points.

Generated by OpenCVE AI on April 18, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated into raw SQL. This issue has been fixed in version 7.2.0.
Title ChurchCRM has Authenticated SQL Injection in `/api/families/byCheckNumber/{scanString}`
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T22:58:48.528Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40482

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:39.110

Modified: 2026-04-18T00:16:39.110

Link: CVE-2026-40482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses