Description
EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.
Published: 2026-05-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from EcclesiaCRM’s ValidateInput() function, where a default case in the query view passes user‑supplied POST parameters directly into SQL statements via a string replacement without any sanitization. This oversight allows an attacker to inject arbitrary SQL code when submitting query parameters that are not subject to standard validation, potentially enabling modification, deletion, or exposure of sensitive church data. The weakness is a classic SQL injection flaw identified as CWE‑89.

Affected Systems

The issue affects EcclesiaCRM version 8.0.0 and all earlier releases by the vendor phili67. The vulnerability exists in the ValidateInput() function that is invoked during query view processing and can be triggered by any POST request to the application’s query endpoint. Users running these affected versions without applying the missing fix are at risk.

Risk and Exploitability

With a CVSS score of 8.7, the flaw represents a high‑severity condition. No EPSS score is available, and the vulnerability is not yet listed in CISA’s KEV catalog, suggesting limited evidence of active exploitation at this time. The attacker would need to craft a malicious POST request targeting the query view, but the lack of input validation enables direct exploitation without additional privileges, making this a relatively straightforward remote attack vector.

Generated by OpenCVE AI on May 13, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from the GitHub commit f743b97f89da469a4c70b82bd61d0a59a3a957a9, which sanitizes the affected POST parameters, or upgrade to a newer EcclesiaCRM release that incorporates this change.
  • Remove or disable the default case in ValidateInput() that forwards raw parameters to SQL, replacing it with strict whitelisting and proper escaping of all query inputs.
  • Deploy a web application firewall or security rule set that detects and blocks typical SQL injection payloads targeting the church management system’s query endpoint.

Generated by OpenCVE AI on May 13, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Phili67
Phili67 ecclesiacrm
Vendors & Products Phili67
Phili67 ecclesiacrm

Wed, 13 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via str_replace without any sanitization, enabling SQL injection through query parameters that use non-standard validation types. This is caused by an incomplete fix for CVE-2026-35184.
Title Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Phili67 Ecclesiacrm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T13:23:43.151Z

Reserved: 2026-05-06T14:40:00.952Z

Link: CVE-2026-44418

cve-icon Vulnrichment

Updated: 2026-05-14T13:23:13.446Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T21:16:48.913

Modified: 2026-05-14T17:00:31.310

Link: CVE-2026-44418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:45:06Z

Weaknesses