top of page
perceptive_background_267k.jpg

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where …

Published:

6 april 2026 om 22:00:00

Alert date:

7 april 2026 om 19:08:14

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Database & Storage, Enterprise Applications

A critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php file prior to version 7.1.0. The vulnerability allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands through unsanitized Name and Description POST parameters. Attackers can perform data exfiltration, modification, and deletion operations. The injected data persists in the database and is reflected across multiple application pages without proper output encoding. This vulnerability affects the open-source church management system and has been fixed in version 7.1.0.

Technical details

Mitigation steps:

Affected products:

ChurchCRM

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-39323
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-vmfg-c69g-m8p8

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page