CVE-2026-39317

HIGH CVSS 8.8 View on NVD ↗

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h7hg-f7cw-9xwc
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h7hg-f7cw-9xwc

Published: Apr 07, 2026 18:16 UTC Modified: Apr 07, 2026 20:16 UTC