top of page
perceptive_background_267k.jpg

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in src/Reports/FundRaiserStatement.php where…

Published:

6 april 2026 om 22:00:00

Alert date:

7 april 2026 om 17:04:54

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

ChurchCRM, an open-source church management system, contains a critical SQL injection vulnerability prior to version 7.1.0. The vulnerability exists in src/Reports/FundRaiserStatement.php where the $_SESSION['iCurrentFundraiser'] value is used in an unquoted numeric SQL context without proper integer validation. The issue originates from src/FundRaiserEditor.php where InputUtils::legacyFilterInputArr() is called without the 'int' type specifier. This allows attackers to potentially execute arbitrary SQL commands through the vulnerable session variable. The vulnerability has been fixed in version 7.1.0 of ChurchCRM.

Technical details

Mitigation steps:

Affected products:

ChurchCRM

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35566
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-grq6-q49f-44xh

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page