top of page
perceptive_background_267k.jpg

ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without pro…

Published:

6 april 2026 om 22:00:00

Alert date:

7 april 2026 om 17:04:54

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

ChurchCRM, an open-source church management system, contains a SQL injection vulnerability in versions prior to 7.1.0. The vulnerability exists in the NewRole POST parameter in src/MemberRoleChange.php where user input is used in SQL queries without proper integer validation. Authenticated users with ManageGroups role can exploit this to inject arbitrary SQL code. The attack requires knowledge of valid GroupID and PersonID values which can be obtained from GroupView or PersonView pages. The vulnerability has been patched in version 7.1.0.

Technical details

Mitigation steps:

Affected products:

ChurchCRM

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-35567
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5f97-jgg4-gqwr

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page